Consent Management

Kirby

Well-known member
Best case scenario might be to turn off XenForo's cookie ...manager and just use some consent management platform of your choosing. Maybe one that allows you to load and block scripts, as the user desires. Good ones also hide iframes (such as youtube embeds) behind an opt-in-layer.
Almost right :-)

The main problem here is that external solutions on their own can't reliably block content / cookies before it reaches the user.

An external solution for example could never block a first party cookie that is set via HTTP header (the external JavaScript would only be loaded after the headers have already been processed, at which point a cookie would already have been stored.

I mean XF's own cookies are technically necessary (for the software to work), so no consent needed there.
This is not correct - XenForo uses essential and optional cookies; not all cookies set by XenForo are technically necessary.
Even some of the cookies classified as "essential" aren't really required (like xf_toggle).
So strictly speaking, those optional cookies do need consent.

I mean I do appreciate the effort the XenForo team puts into this - but at the same time (having to do this horse poo for all our company sites), I get to the conclusion that this is a bottomless pit
There are basically two things that need to be done
  1. Gathering / Managing consent
  2. Reacting to signals (eg. block or deliver content)
XenForo currently somewhat tries to do both and I totally agree that this is an uphill battle.

Doing a full-blown consent management solution is waay more complicated and involved than it looks on the surface.

How many do you know of who have actually been taken to court and been prosecuted
I personally do know several such cases, it's definitly not just "paranoia".

I think consent management should not be part of any forum software (or even any website software at all). It is not trivial and not easy to deal with it if made correctly. There is much more involved as cookie banners and buttons to click.
Yes, definitely.

But as pointed out before, external CMP technically can't work reliably without support from the website software.
The software must provide the necessary interfaces to react on signals so unconsented content can be blocked reliably.
Without such support, external CMPs can only do "best effort" - and most cases this will break in some scenarios.

XenForo can provide this necessary support infrastructure / Interfaces and pin fact 2.2.12, while not yet perfect, has made a big step forward here.

There are a lot of very sophisticated and trustable software solutions just for consent management. If you have a business website in Europe you should use one of them.
Absolutely. If ad networks are involved, you are pretty much required to use a TCFv2 compatible CMP.
As said before though, support for reacting on signals is also required for a "waterproof" solution.

Well and again, we are talking about a "European problem", not a "German problem".
I think this is important :)
In most cases, German laws are based on EU regulation, Germany is usually just way more strict (than other member states) to actually enforce compliance.

AFAIK there's no third-party Consent Solution which you can easily integrate into a XenForo installation until now (because of missing hooks, lack of documentation, ect.).
I am unfortunately not aware of any 3rd party CMP that could be used for a XenForo Installation and that would reliably block 3rd party content (without adding quite some code to XenForo template modificstions, etc.)

If XenForo addresses all the issues (both bugs and to some extend suggestions though those are more targeted to improve builtin consent management) I've submitted regarding "Advanced Cookie Consent" it would most likely provide everything that is needed for an external CMP to properly do its job :-)
 
An external solution for example could never block a first party cookie that is set via HTTP header (the external JavaScript would only be loaded after the headers have already been processed, at which point a cookie would already have been stored.
Right, but it could block iframes from loading and external scripts that you implement (such as ads).

And well let's be real, the software itself should not set any cookies using HTTP headers that are not, well, necessary. That said, the script could delete those cookies. The problem is less "getting" the cookies but more "returning them to the server", when the server sets a cookie, the server obviously already has the information it wants to have stored with the user.

From what "I" was getting from our privacy consultant, the problem is when stuff tracks you. So when the information can be used like outside the site you are currently on. Which none of XF's own cookies would be.

I think we have to debate the definition of "necessary" and "optional"...
This is not correct - XenForo uses essential and optional cookies; not all cookies set by XenForo are technically necessary.
Even some of the cookies classified as "essential" aren't really required (like xf_toggle).
I would argue with that. Like xf_toggle stores what the user toggles so it remembers next time. This is like part of the software and a feature that just would not work if you could disagree with it.

It is like an online shop where you are not logged in. You put something in your shopping cart and... Well TECHNICALLY the cookie, what's in the cart, is not needed, because the website itself would work just as well. Yet, not having this cookie breaks an important feature.

I would argue that any cookie the software sets to provide functionality can be considered technically necessary.
Absolutely. If ad networks are involved, you are pretty much required to use a TCFv2 compatible CMP.
TCFv2 is not GDPR compliant on its own.
See: https://techcrunch.com/2020/10/16/i...onsent-framework-found-to-fail-gdpr-standard/
 
And well let's be real, the software itself should not set any cookies using HTTP headers that are not, well, necessary.
Agreed. Though as it is right now, XenForo does set at least one "optional" (even by their own definition) cookie via HTTP header: xf_from_search

That said, the script could delete those cookies.
Sure. But for a (short) perdiod of time the cookie would be stored on the users device - this should be avoided (and can be avoided if the software, in this case XenForo, does check consent before setting such cookies).

I would argue with that. Like xf_toggle stores what the user toggles so it remembers next time. This is like part of the software and a feature that just would not work if you could disagree with it.
Yes, it would not work if such cookies could be rejected.
But how is that different from XenForo remembering the last used smilies / emojis?
The cookie used for this (xf_emoji_usage) is (by their own definition) classified as "Optional".

XenForo describes optional cookies as
We deliver enhanced functionality for your browsing experience by setting these cookies. If you reject them, enhanced functionality will be unavailable.
To me, this perfectly fits for xf_toggle (and a few otehrs as well) - it enhances the browsing experience by remembering the toggle state of controls.
Without this cookie, the user could still toggle an element (like collapse a category) on a page, but this would not be remebered.

I would argue that any cookie the software sets to provide functionality can be considered technically necessary.
That could be twisted so every cookie becomes "technically necessary" ;)

Is it "functionality" if there is a feature to randomly show an ad (from a larger collection) and remember which ad was shown to a user so the same ad doesn't get displayed twice (within a certain time)?

I'd say no, this clearly isn't functionality - the ad is not required to use the website.
On the other hand an online shop would be severely limited if you can't have a shopping cart.

So those are two examples that seem to be pretty clear in one or the other direction.

Things like "preferences" (which IMHO fits both xf_emoji_usage and xf_toogle) are more difficult; the general concensus (in Germany) seems to be that such cookies are not essential.

Yeah, I know - but there is no alternative (short of not using ad networks as basically everyone requires TCFv2 signals).
 
Last edited:
The cookie used for this (xf_emoji_usage) is (by their own definition) classified as "Optional".
To me, this perfectly fits for xf_toggle - it enhances the browsing experience by remembering the toggle state of controls.
Without this cookie, the user could still toggle an element (like collapse a category) on a page, but this would not be remebered.
Honestly, I feel like the one (but not the other) cookie being - by XF's own definition - classified as essential vs. optional is so they do have cookies that can be declined. Sure, you could make an argument that it's not the case - but it's also not that hard to argue that even the emoji cookie is sort of essential (if you use the emoji picker).
Is it "functionality" if there is a feature to randomly show an ad (from a larger collection) and remember which ad was shown to a user so the same ad doesn't get displayed twice (within a certain time)?

I'd say no, this clearly isn't functionality - the ad is not required to use the website.
See and that is a main difference between essential and non-essential cookies. The ad clearly is not essential, in any way, in fact, it is an afterthought. Especially in the context of XenForo here, because XF itself ships without ads (that would need cookies/load external scripts). If you want them, it's not hard to implement, but you do have to bring them yourself.

Asterisk: All my "knowledge", and maybe some of this is interpretation and half of it might be plain wrong, is based on what our privacy consultant told me. And on what the letters from the authorities told us.
The other problem here is that there are few real court rulings. So we have the laws, and those are up for interpretation, until a court decides on what is canon.
 
Sorry, but reads as if you don't run a website from/in Europe. Because if you did, you would know that the GDPR is not only valid for commercial forums but also private forums run as a hobby.

There is no reason to set cookies at a "hobby" site besides the technical required ones. You can simply deactivate all other cookies and don't need a consent solution at all. I would highly recommend that for any hobby site out of Europe. You don't want to hurdle with a full-fletched consent management solution and take any legal risk for a hobby only.

Commercial sites on the other hand need a sophisticated consent solution with all the bells and whistles. Usually, this is handled by a very complex software solution. We use https://www.ccm19.de/en/ and are very satisfied with it. But they switched to a monthly cloud abo model recently instead of the regular software license model they used before. We run this software on our own server and use it for the content management of all our sites, but I think this is unfortunately no longer possible for new customers.

But I would never expect XenForo to code and integrate such a consent management solution into their software.
 
Looks interesting! How difficult is the integration into Xenforo?

We use it for all kinds of sites, not only XenForo. Since all of our sites are fully monetized, managing cookies is not easy. XenForo sets only a bunch of cookies itself, so managing them is no problem. Media sites integrated into posts are not loaded without consent, the same with all external scripts.

The software detects and classifies all cookies on our sites automatically and stops setting them or opening iframes or running scripts before consent is given. We have sites with more than 5000 detected and classified cookies, all handled by consent management with a proven consent record for each visitor.
 
We use https://www.consentmanager.net/ with a half-automatic blocking method. You have to ad some code into the page container and prevent google ads from setting the cookie before the consent with extra code. This is no problem with @Siropu AdManger which we use.

That being said all those cookie consent forms are a pain in the ass for the forum host as well as for your visitors. If you put the consent form in a way that it meets (hopefully) all legal requirements, most visitors will click on "reject" to get done quickly with the disturbance.
 
That being said all those cookie consent forms are a pain in the ass for the forum host as well as for your visitors. If you put the consent form in a way that it meets (hopefully) all legal requirements, most visitors will click on "reject" to get done quickly with the disturbance.

This is correct. The best way would be to not allow any cookies except the technical ones.

Since this is not possible until now (hopefully sometimes), you have to take the second-best route. We do not allow to get any content from our site without paying an access fee or accepting cookies.

So a reject to cookies and a reject to pay is a reject to access our site. This seems to be legally possible since many of the larger news sites do it that way. Also ad-blocking users are forced to pay or leave.
 
You can simply deactivate all other cookies and don't need a consent solution at all.
Hmm ... how would you do that? XenForo out-of-the-box uses cookies that are not technically required:
1670945135706.png

As far as I know there is no option to turn those off (without custom code).

And even if those are turned off all 3rd party cookies would have to be turned off as well which means:
  • No Google Analytics
  • Limited choice of CAPTCHA providers
  • No embedded media
  • No paid upgrades (probably not relevant for a hobby site)

That might be too many restrictions, even for a hobby site.

@AnjaC
Unfortunately Consentmamager.net automatic blocking does not work reliably (most likely automatic blocking does not work reliably with any pure JavaScript solution).


Please be aware, that automatic blocking is not 100% safe! If you want to ensure compliance, you should always prefer manual blocking over automatic blocking for codes and cookies!
 
We do not allow to get any content from our site without paying an access fee or accepting cookies.
How do you handle embedded media for paying users that do not want their cookies?
 
Last edited:
Hmm ... how would you do that? XenForo out-of-the-box uses cookies that are not technically required:

Those cookies are not set with our version of XenForo.
And if we ever upgrade to it and think that they are needed by us, we would simply declare them as technically required.

But you are right: If those 2 cookies are not really needed or important, it should be possible to turn them off with a simple admin setting.
 
How do you handle embedded medua for paying users that do want their cookies?

I don't understand. If they do want cookies, there is no problem. If they reject cookies, there won't be embedded media and a consent form for the cookie will be shown instead. This is done automatically by our consent management software.
 
  • No Google Analytics
  • Limited choice of CAPTCHA providers

We do not use GA and switched to self-hosted Matomo a long time ago without any regrets.

We also use our own self-programmed captcha solution, which works without cookies and cannot be overridden by registration bots.
 
If they reject cookies, there won't be embedded media and a consent form for the cookie will be shown instead. This is done automatically by our consent management software.
I guess I misunderstood your setup:
I thought you offer visitors the choice to either accept cookies or to pay so you don't need consent management for those who choose to pay.

So my question was how you are handling embedded media (which does set cookies) for those visitors that would like to pay (but do not want to have cookies from YouTube, etc.)

But it seems you still use consent management even for paying users, right?
 
We do not allow to get any content from our site without paying an access fee or accepting cookies.
So a reject to cookies and a reject to pay is a reject to access our site. This seems to be legally possible since many of the larger news sites do it that way. Also ad-blocking users are forced to pay or leave.

I try to figure that out for my forum as well. What I learned so far:
In Germany it is legally possible to implement "pay or accept model" if publishers finance themselves mainly from advertising revenues.
Of course, you have to provide a gateway for the paying process and make sure the upgrade process is done automatically (at once) etc. This is what I look into at the moment.

Careful: we should not mix up Cookies and advertising. Not every Cookie is set for advertising. Not every advertisement sets cookies.
Since long we have paid memberships where absolutely no advertisement is shown, cookies set or not. Visitors (registered or unregistered) who are not in this member group can reject cookies from e.g. Google Ads and do not see them. They still see the ad banners we host without cookies.

So my idea is to let unregistered visitors access the site either with cookies set or a minimal fee and only functional cookies. Not quite sure where I will be going with that, still in the process.

Unfortunately Consentmamager.net automatic blocking does not work reliably (most likely automatic blocking does not work reliably with any pure JavaScript solution).

Right. That is why I use the half automatic blocking.

  • No Google Analytics
  • Limited choice of CAPTCHA providers
  • No embedded media
... no google fonts etc. There are other methods, as @HWS pointed out. We do not use GA or Google reCaptcha.

But it seems you still use consent management even for paying users, right?
Yes, because not every cookie is set for advertising. If a paying member still does not want to see embedded media, he can turn it off.
 
There is no reason to set cookies at a "hobby" site besides the technical required ones. You can simply deactivate all other cookies and don't need a consent solution at all. I would highly recommend that for any hobby site out of Europe. You don't want to hurdle with a full-fletched consent management solution and take any legal risk for a hobby only.
... and that actually shows that you don't seem to know all that much about the situation in Germany (and basically the entire EU).

Are "hobby" sites/forums not allowed to use Youtube, Google Maps, Capchas, various statistical services or the like?
The boundaries between hobby and business are fluid, at least in Germany, you can see that day in and day out.
Many think they are just running a hobby forum, but generate income through Adsense, for example. Often just enough to pay for the web space, sometimes maybe more, often less.
And apart from that - DSGVO applies to hobby sites as well as to commercial ones! At best, it is taken into account in the amount of the penalties, but there is no license just because you think you are only running a hobby forum.

You describe a black and white world, but that simply doesn't exist and especially in the area of GDPR there are still some areas where legal clarity will only be achieved through further court proceedings.

It is also not so easy to say that this cookie is technically necessary and that one is not. There are already very divided opinions here and over the years it will probably only be clearer if the judges say so.

And to say a hobby forum doesn't need cookie consent is (unfortunately) completely wrong. Far from reality and a little bit, that also seems arrogant or just ignorant to me.

It's really frightening how ignorance or a certain arrogance seems to creep in here and there with success.

Nobody demands a 100% solution from Xenforo, I also said that I would rather see Cookie Consent as an official addon and I would pay for it if it worked.
But one way or the other - I would hope for at least a functioning framework, yes I would expect it after such a long time (the GDPR has not only been known since 2022 ;) ).

It really should be discussed more constructively as Chris said. But this also includes not ignoring or dismissing facts.
 
Yes, because not every cookie is set for advertising. If a paying member still does not want to see embedded media, he can turn it off.
"He can turn it off" is not the often wished OptIN - its only a OptOUT... in sense of GDPR mostly not the best idea. ;-)
 
"He can turn it off" is not the often wished OptIN - its only a OptOUT... in sense of GDPR mostly not the best idea. ;-)
Sorry, I `ll rephrase: If a paying member wants to see embedded media, he can turn it on via the consent tool.
 
Just wanted to share this, maybe someone is interested:

I just received an email from Matomo announcing a masterclass "Cookieless 2024: How to Future-Proof Your Marketing Campaigns". It is for free, date is today 3 pm CET. If you cannot attend, you may still register and get a link to the recording afterwards.


Other than using Matomo on my websites I am not affiliated with them in any way.
 
Top Bottom