markoroots

Active member
Hi there I want propose the implementation of the Cookie Banner to be compliant to the GDPR law we have in Europe.

Right now the banner have only the possibility to click on "Accept" and this is not accordant with the law we have here about the privacy policy.
To be legal here, that banner must show all the cookies used and let the possibility to the users to accept or not the use of these.
Is it also possible to show as mandatory some "Necessary Cookies" to make turn good the site, but the users can decide to accept these, or go out of the site, the third party cookies instead can be accept or not, by just selecting the options "yes" or "no".

So would be really important for us to have the right options to let us set the banner to be law compliant.
This need:
  • a button that show all the cookies are used
  • the options/buttons to accept them or refuse
  • possibility to set use all and refuse all, or some of them
  • show what are the strictly necessary cookies to access the site
  • give them the possibility to accept only the "Necessary" that must be explained for what are used for and refuse the others (third part)

This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.
 
Last edited:
Upvote 12

Mendalla

Well-known member
I am not subject to GDPR and we are too small to even be subject to Canada's current law (not sure about the new bill that's before Parliament) but more detail and control over the cookie banner would not be a bad thing in general.
 

AndrewSimm

Well-known member
Hi there I want propose the implementation of the Cookie Banner to be compliant to the GDPR law we have in Europe.

Right now the banner have only the possibility to click on "Accept" and this is not accordant with the law we have here about the privacy policy.
To be legal here, that banner must show all the cookies used and let the possibility to the users to accept or not the use of these.
Is it also possible to show as mandatory some "Necessary Cookies" to make turn good the site, but the users can decide to accept these, or go out of the site, the third party cookies instead can be accept or not, by just selecting the options "yes" or "no".

So would be really important for us to have the right options to let us set the banner to be law compliant.
This need:
  • a button that show all the cookies are used
  • the options/buttons to accept them or refuse
  • possibility to set use all and refuse all, or some of them
  • show what are the strictly necessary cookies to access the site
  • give them the possibility to accept only the "Necessary" that must be explained for what are used for and refuse the others (third part)

This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.
You should provide an example link to a website that uses this type of banner. An example, may help others understand what you are asking for.
 

krieglich

Member
This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.
All cookies set by default Xenforo are technical necessary and don't have to be accepted (see GPDR: "To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must: Receive users’ consent before you use any cookies except strictly necessary cookies."

So while it would be nice to have a cookie banner with choices, the default Xenforo installation wouldn't have any cookie that could be dismissed (feel free to correct me if I'm wrong).
 

markoroots

Active member
Yes that it's true, you are not wrong, it seems that now I'm not seeing third part cookies on my site, also if few days ago I saw them... few but there were some other one different of the XF core.

In each way we have to tell the users what are the cookie strictly necessary and what they are designed for.
On my site I see that there are 11 cookies (6 from Google and 4 from XF) that are not shown in the "cookie banner" to tell for what are used, that, we must show/tell to the users, then them are free to accept and continue to visit the site, or discard and
or continue to visit the site, or go out the site.
 
Last edited:

Kirby

Well-known member
All cookies set by default Xenforo are technical necessary
That's debatable ;)

For example, XenForo does set a cookie xf_from_search to track the search engine from which a visitor came to the website.
By default, this cookie is not being used at all, it would only be used if there are notices configured to only display for visitors through search engines.

So if this cookie ist not being used at all (in most cases), how can it be "technically necessary"?

And even if it is being used for displaying a notice, would that be "strictly necessary"?
The forum would be fully functional without that notice, so from my understanding this is not necessary at all.

Necessary cookies would only be those cookies without which the forum cannot be used at all in a meaningful way.
This would include only two cookies: xf_session and xf_csrf.

Now keeping in mind that Xen_Foro can work without xf_session for guests (this cookie is not being set if guest page caching is enabled but guest sessions for cached guest pages are not), even that cookie might not be "strictly" necessary" for guests.

So to sum it up:
IMHO & IANAL XenForo cookie usage is currently not compliant.
 

markoroots

Active member
Yes right observations.

Also this thread is about this and is really interesting

 

krieglich

Member
Thanks for the clarification, Kirby. As I said, I'm glad about any correction.

For example, XenForo does set a cookie xf_from_search to track the search engine from which a visitor came to the website.
By default, this cookie is not being used at all, it would only be used if there are notices configured to only display for visitors through search engines.
But one could argue that this cookie is technical necessary because "User arrived on this site from a search engine" is the requirement for that configured note. But of course that's just debatable because the whole content of that law just sucks in terms of clear technical definitions.

All in all we're in need of a better cookie banner.
 
Top