GDPR add-on

Pardal

Active member
Is anyone using an addon that can comply with GDPR on their xenforo site? I see some companies that offer plugins but at an abusive monthly price. It would be interesting to know if someone has implemented their own addon since they could profit from the sale of this resource and help us to the rest of the people with this GDPR problem, thanks

It would also be interesting to know if the xenforo team is going to offer an update in this regard for its customers in Europe, thank you.
 
Plus one. (y)

But If this proposal goes forward, please add a way to turn it off. I wouldn't want to bother my customers with it. Maybe if I see small website owners being prosecuted for not complying I might change my mind, till then...
 
An GDPR add-on is probably an area that many developers will understandably stay away from. To create a truly effective add-on, one would need to understand how the GDPR laws are being applied in every country the add-on is designed to support. This would be incredibly difficult and claims of its validity would leave room for legal action in the event that a rogue European court interpreted the law differently and find a website using such add-on. This is what happens when lawmakers who don't understand the web create laws and leave out companies such as Google and Apple, who could simplify this for everyone.
 
To create a truly effective add-on, one would need to understand how the GDPR laws are being applied
nope.

You have to give users the posibillity, to opt-in/opt-out cookies. All cookies on your website.
Common cookie management systems have "necessary cookies", "perfomance" (what ever this means) and "advertising".
The function of each cookie has to be explained. Example: https://cookiefirst.com/de/

So the plugin has to detect all cookies and implement a function, to switch them on and off. Basically. This is explained in the config manual of klaro.

That is the basic requirement by the law in all EU countries.

What happens, if you don't; and what exactly "necessary cookie" or "performance cookie" means - ok, that depends, you are right. But thats not in the task of the addon developer. Job of the addon is the functionality, clicking cookies on and off.

heyklaro is open source with IMO good documentation. As far as I understand the functionality, its quite simple. I had running it during my switch from vb to xenforo but stopped to fine tune, because ... there were more urgent tasks, as always. So there is a working solution, without paying money.

The benefit of a plugin would be:

  • it's more convenient to install
  • the developer will keep it updated. Hopefully

Cookiefirst also worked, i have tested it. Basic Price is 9 EUR/month - what would be ok for me. But i would prefer to give my money to xf developers.
 
nope.

You have to give users the posibillity, to opt-in/opt-out cookies. All cookies on your website.
Common cookie management systems have "necessary cookies", "perfomance" (what ever this means) and "advertising".
The function of each cookie has to be explained. Example: https://cookiefirst.com/de/

So the plugin has to detect all cookies and implement a function, to switch them on and off. Basically. This is explained in the config manual of klaro.

That is the basic requirement by the law in all EU countries.

What happens, if you don't; and what exactly "necessary cookie" or "performance cookie" means - ok, that depends, you are right. But thats not in the task of the addon developer. Job of the addon is the functionality, clicking cookies on and off.

heyklaro is open source with IMO good documentation. As far as I understand the functionality, its quite simple. I had running it during my switch from vb to xenforo but stopped to fine tune, because ... there were more urgent tasks, as always. So there is a working solution, without paying money.

The benefit of a plugin would be:

  • it's more convenient to install
  • the developer will keep it updated. Hopefully

Cookiefirst also worked, i have tested it. Basic Price is 9 EUR/month - what would be ok for me. But i would prefer to give my money to xf developers.
Sorry, I disagree. There have been plenty of posts on this site with users listing their GDPR requirements. Even Xenforo has claimed to be in compliance with GDPR, which is why I think you need that expertise. If the requirement was boilerplate then you wouldn't see so many different implementations on major websites. As a developer it would be a nightmare to develop. You would constantly have users ask for different versions of it to satisfy their perceived countries requirements. I do think it is great that you have found a solution that works for you.
 
Erm ... nope ;)

GDPR is way more than "just cookie layers" and the requirements for each country can be different.

There are many things besides cookies that are affected, for example
  • Contact Form
    According to german authorities, this is not compliant as there is no indication which data is necessary and now explanation how that data is being processed.
    Furthermore, there is no explanatio about the legal base for processing that data (-> GDPR Art. 6), if it is GDPR 6(1) a), the user must be over 16 in Germany but only over 14 in Asutria
  • Google Analytics
    Even if this was not using cookies, the user must be able to opt-in which is not possible
  • Gravatar
    This feature does use a hash of the users email address to send it to a third party; both the user using gravatar as well as the user viewing a page must consent to this
  • Giphy
    If this feature is being used, the IP address of the visitor is being sent to a third party
  • IP Information URL
    If this is configured, IP adresses of users are being sent to a third party
  • Location information URL
    If this is configured, the value of the location profilefiled is being set to a third party
  • Media Embeds
    Besides setting cookies in some cases, this does load data from 3rd parties websites, eg. those will get the users IP. useragent, etc.
  • Restriction of processing
    According to Art. 18 GDPR users hav the right to restrict processing of data; this is not really possible with XenForo - even if a user accout is set to "Disabled" data is still being processed
  • Anti-Spam Tools
    Akismet, StopForumSpam, DSNBL - all those services do use user data (email, IP) without the user even knowing that and without the user being able to object this
  • CAPTCHA
    ReCaptcha, hCaptcha, Solve Media, KeyCaptcha - all those services use JavaScript being loaded for third party servers, eg. they will get the users IP, useragent, etc.
  • External Storage (S3, etc.)
    As users upload personal data (photos of themselves in conversations, etc.), thisis also affected
  • Permissions
    There might be 3rd party entitites (eg. moderators) that have access to private data (email, IP address)
  • and so on

This list is by no means complete, but as you can see that "GDPR compliant" isn't a label you can easily stick on a product - it is pretty complicated.
Therefore I do understand why XenForo hasn't done much in this regard.

We've implemented (most) of this for our XenForo 2 forums and wired that up with Consentmanger.net CMP, but that was a fair amount of work and requires ongoing maintenance.

What XenForo can and should do is to make it a lot easier for consent management tools to hook into XenForo and control things like getting/setting cookies, usage of 3rd party services (Captcha, Anti-Spam, Gravatar, etc.).

Klaro/heyKlaro might be nice for a website that doesn't use advertising - but it IMHO is pretty much useless if advertsing is being used as many ad providers (including Google) do require IAB compliance/TCFv2 signals that are not provided by Klaro.
 
Last edited:
If you are interested in this function you can vote on this suggestion:

 
Top Bottom