Implemented Update Cookie Banner compliant to GDPR

markoroots

Well-known member
Hi there I want propose the implementation of the Cookie Banner to be compliant to the GDPR law we have in Europe.

Right now the banner have only the possibility to click on "Accept" and this is not accordant with the law we have here about the privacy policy.
To be legal here, that banner must show all the cookies used and let the possibility to the users to accept or not the use of these.
Is it also possible to show as mandatory some "Necessary Cookies" to make turn good the site, but the users can decide to accept these, or go out of the site, the third party cookies instead can be accept or not, by just selecting the options "yes" or "no".

So would be really important for us to have the right options to let us set the banner to be law compliant.
This need:
  • a button that show all the cookies are used
  • the options/buttons to accept them or refuse
  • possibility to set use all and refuse all, or some of them
  • show what are the strictly necessary cookies to access the site
  • give them the possibility to accept only the "Necessary" that must be explained for what are used for and refuse the others (third part)

This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.
 
Last edited:
Upvote 40
This suggestion has been implemented. Votes are no longer accepted.

Mendalla

Well-known member
I am not subject to GDPR and we are too small to even be subject to Canada's current law (not sure about the new bill that's before Parliament) but more detail and control over the cookie banner would not be a bad thing in general.
 

AndrewSimm

Well-known member
Hi there I want propose the implementation of the Cookie Banner to be compliant to the GDPR law we have in Europe.

Right now the banner have only the possibility to click on "Accept" and this is not accordant with the law we have here about the privacy policy.
To be legal here, that banner must show all the cookies used and let the possibility to the users to accept or not the use of these.
Is it also possible to show as mandatory some "Necessary Cookies" to make turn good the site, but the users can decide to accept these, or go out of the site, the third party cookies instead can be accept or not, by just selecting the options "yes" or "no".

So would be really important for us to have the right options to let us set the banner to be law compliant.
This need:
  • a button that show all the cookies are used
  • the options/buttons to accept them or refuse
  • possibility to set use all and refuse all, or some of them
  • show what are the strictly necessary cookies to access the site
  • give them the possibility to accept only the "Necessary" that must be explained for what are used for and refuse the others (third part)

This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.
You should provide an example link to a website that uses this type of banner. An example, may help others understand what you are asking for.
 

krieglich

Member
This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.
All cookies set by default Xenforo are technical necessary and don't have to be accepted (see GPDR: "To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must: Receive users’ consent before you use any cookies except strictly necessary cookies."

So while it would be nice to have a cookie banner with choices, the default Xenforo installation wouldn't have any cookie that could be dismissed (feel free to correct me if I'm wrong).
 

markoroots

Well-known member
Yes that it's true, you are not wrong, it seems that now I'm not seeing third part cookies on my site, also if few days ago I saw them... few but there were some other one different of the XF core.

In each way we have to tell the users what are the cookie strictly necessary and what they are designed for.
On my site I see that there are 11 cookies (6 from Google and 4 from XF) that are not shown in the "cookie banner" to tell for what are used, that, we must show/tell to the users, then them are free to accept and continue to visit the site, or discard and
or continue to visit the site, or go out the site.
 
Last edited:

Kirby

Well-known member
All cookies set by default Xenforo are technical necessary
That's debatable ;)

For example, XenForo does set a cookie xf_from_search to track the search engine from which a visitor came to the website.
By default, this cookie is not being used at all, it would only be used if there are notices configured to only display for visitors through search engines.

So if this cookie ist not being used at all (in most cases), how can it be "technically necessary"?

And even if it is being used for displaying a notice, would that be "strictly necessary"?
The forum would be fully functional without that notice, so from my understanding this is not necessary at all.

Necessary cookies would only be those cookies without which the forum cannot be used at all in a meaningful way.
This would include only two cookies: xf_session and xf_csrf.

Now keeping in mind that Xen_Foro can work without xf_session for guests (this cookie is not being set if guest page caching is enabled but guest sessions for cached guest pages are not), even that cookie might not be "strictly" necessary" for guests.

So to sum it up:
IMHO & IANAL XenForo cookie usage is currently not compliant.
 

markoroots

Well-known member
Yes right observations.

Also this thread is about this and is really interesting

 

krieglich

Member
Thanks for the clarification, Kirby. As I said, I'm glad about any correction.

For example, XenForo does set a cookie xf_from_search to track the search engine from which a visitor came to the website.
By default, this cookie is not being used at all, it would only be used if there are notices configured to only display for visitors through search engines.
But one could argue that this cookie is technical necessary because "User arrived on this site from a search engine" is the requirement for that configured note. But of course that's just debatable because the whole content of that law just sucks in terms of clear technical definitions.

All in all we're in need of a better cookie banner.
 

FTL

Well-known member
I'll second this - and have upvoted. We definitely need it to look something like @Pardal's post above mine.

In my particular case, I don't have any adverts and only the default system cookies are used, so I can get away without those options and just have the explanatory text there, but XF still needs to be made fully GDPR compliant.

The GDPR has been out now for a few years, so it really should have been done by now and not be a "special request" like we have on here.

@Mike just tagging you to help raise awareness of this with the devs. We'd all be very grateful if this could please be implemented in the next point update or two. 🙂
 

crondoc

New member
A solution we've come up with for our Xenforo forum is as follows. It also works on other non-Xenforo parts of our website.

We implemented this cookie service on our forum that is compliant with EU-GDPR rules. It doesn't just ask users to accept or reject the cookies. It allows you to specify which type of cookies you want to consent to.

We ended up putting it all into a PHP file which gets called in the last line of our style's page_container template.
We initially called it from near the top of page_container but this didnt work, because it needs to be after the point where Xenforo calls jquery.
 

Kirby

Well-known member
We implemented this cookie service on our forum that is compliant with EU-GDPR rules. It doesn't just ask users to accept or reject the cookies. It allows you to specify which type of cookies you want to consent to.
I might be wrong, but I think the following scenarios (and probably more) would fail and set cookies without my consent:

Scenario 1
  1. You've configured Google Analytics via the standard XenForo settings
  2. I've configured my browser to spefifically block ihavecookies JS from being executed
  3. I visit your forums

Would that cause Google Analytics to be executed and set a cookie?
If yes, your solution unfortunately is not compliant.

Scenario 2
  1. I search for your forum on Google and click on a result link to get to your forum

Would that cause XenForo to set cookie xf_from_search to track that I visited through Google without my consent for setting this cookie?
If yes, your solution unfortunately is not compliant.
 
Last edited:

crondoc

New member
This is what we have for Google Analytics in our website footer rather than using Xenforo's setting for it.

JavaScript:
if ($.fn.ihavecookies.preference('analytics') === true) {
                                console.log('GA is accepted.');
                                ga('create', 'UA-XXXXXXX-Y', 'auto');
                               ga('set', 'anonymizeIp', true);
                               ga('send', 'pageview');                               
                }
                else console.log("GA not accepted");

I'll have to come back to you about Scenario 2, you could be right. I'm new to Xenforo.
 

Kirby

Well-known member
This is what we have for Google Analytics in our website footer rather than using Xenforo's setting for it.
That's good, so this would almost work (as far as I can see from the code the gtag JS would still be loaded unconditionally, so Google would the users IP address without consent for that data transfer) :)

What about if a user has embedded a YouTube video into a post?
Or a Facebook post?
 

emaw

Member
I just received a notice that my forum is not GDPR compliant (a year after switching from vb)

The issue is exactly the one described here,
Third-party cookies set before interaction with consent notice

That's extremely slack of @XenForo, i'm surprised and very disappointed - its a simple issue and a technical solution should have been built in already. I would like a refund of my license tbh.

We are a group of security and privacy researchers from the xxx University in Germany. As part of our current research project, we analysed potential security and data protection issues in websites.

We would like to raise your attention to the following data protection issue on your website .com. Please note that we do not offer a conclusive legal assessment or consultancy on an individual website’s legal compliance.

--------
Third-party cookies set before interaction with consent notice
--------

Under Article 5 Paragraph 3 of the EU ePrivacy Directive (Directive 2009/136/EC) and respective implementations of the Directive into national law of the EU member states, the setting of individual cookies on the user's terminal equipment that are not strictly necessary for the functioning of the website is only allowed if the user has given his or her prior consent. Such consent has to be given in advance via a meaningful interaction by the user.

According to our automated analysis, your website does provide users with a cookie notice or consent form, but the cookies are set before any meaningful interaction of a user with the consent form takes place.
This lack of explicit consent may indicate noncompliance with EU ePrivacy requirements.

Please note:

- Fines for noncompliance with ePrivacy requirements may vary depending on national laws.

You can review more detailed information about the data protection issue on your website and its remediation status by visiting our web interface at: https://

Since this notification is part of an ongoing research project, we will re-check your website to verify if the issue has been fixed. If you wish us to stop this check, please visit our web interface at https to opt out or contact us at info@ Should you need further information or have any other questions, please do not hesitate to contact us using the same email address.
 

FTL

Well-known member
I would like a refund of my license tbh.
You raise a good point about the cookies and I think XF should improve in this area. Fingers crossed.

If you want a refund, then you'll have to sign into your customer account and log a ticket to request it.

To be honest though, I doubt they would give it to you over this and the likely length of time you've had the license. Also, it would be very disruptive to your forum to suddenly lose use of the forum software. What do you intend to replace it with?
 

nocte

Well-known member
@emaw:

Maybe you did not notice that the link in the last paragraph of your quote leads to the university's homepage and shows your forums's domain name. ;)

Regarding 3rd party cookies: First step would be to remove GA (just delete the property ID in the admin cp). Unless you did not include other 3rd party scripts, that should fix your biggest problem (but if we are strict, you would also need a consent for external media, like youtube - before it is loaded - there's at least one addon for this purpose).

btw: If you are located inside the EU, then the default XF privacy policy is definitely not sufficient. But it's your job to change this, not xenforo's one (they cannot create a privacy policy that works for any forum).
 

FTL

Well-known member
btw: If you are located inside the EU, then the default XF privacy policy is definitely not sufficient. But it's your job to change this, not xenforo's one (they cannot create a privacy policy that works for any forum).
They could make one that's GDPR compliant though. That's not too much to ask is it?
 
Last edited:
Top