Implemented Update Cookie Banner compliant to GDPR

markoroots

Well-known member
Hi there I want propose the implementation of the Cookie Banner to be compliant to the GDPR law we have in Europe.

Right now the banner have only the possibility to click on "Accept" and this is not accordant with the law we have here about the privacy policy.
To be legal here, that banner must show all the cookies used and let the possibility to the users to accept or not the use of these.
Is it also possible to show as mandatory some "Necessary Cookies" to make turn good the site, but the users can decide to accept these, or go out of the site, the third party cookies instead can be accept or not, by just selecting the options "yes" or "no".

So would be really important for us to have the right options to let us set the banner to be law compliant.
This need:
  • a button that show all the cookies are used
  • the options/buttons to accept them or refuse
  • possibility to set use all and refuse all, or some of them
  • show what are the strictly necessary cookies to access the site
  • give them the possibility to accept only the "Necessary" that must be explained for what are used for and refuse the others (third part)

This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.
 
Last edited:
Upvote 40
This suggestion has been implemented. Votes are no longer accepted.

emaw

Member
You raise a good point about the cookies and I think XF should improve in this area. Fingers crossed.

If you want a refund, then you'll have to sign into your customer account and log a ticket to request it.

To be honest though, I doubt they would give it to you over this and the likely length of time you've had the license. Also, it would be very disruptive to your forum to suddenly lose use of the forum software. What do you intend to replace it with?
I'm very happy with the software, but really surprised that such a simple issue hasn't been addressed when it means that all xf forums are potentially operating illegally in Europe.
GDPR has been in effect for several years ago now, most media outlets in US have managed to deal with it. Handling data protection competently is a very basic function for software that facilitates group communication like this.
 

emaw

Member
@emaw:

Maybe you did not notice that the link in the last paragraph of your quote leads to the university's homepage and shows your forums's domain name. ;)

Regarding 3rd party cookies: First step would be to remove GA (just delete the property ID in the admin cp). Unless you did not include other 3rd party scripts, that should fix your biggest problem (but if we are strict, you would also need a consent for external media, like youtube - before it is loaded - there's at least one addon for this purpose).

btw: If you are located inside the EU, then the default XF privacy policy is definitely not sufficient. But it's your job to change this, not xenforo's one (they cannot create a privacy policy that works for any forum).
Thanks,
So you're saying that XF is no longer capable of measuring traffic from EU users with GA, that's not really acceptable, is it?
They need to provide software that allows admins to set it up to be compliant. At present that's not the case.

I have logged a ticket.

I expect that others may hear from "the German University" soon - the notice is genuine, but it seems like they are using drive-by spammer techniques to ideentify non-compliant sites - which is basically any xf forum.
 

Chris D

XenForo developer
Staff member
I would say so.

By default the only cookie that XF itself sets for guests is the xf_csrf cookie which is not tracking related but instead used for preventing cross-site request forgery attacks.

Implied consent for such cookies is acceptable.

In the notice you received, there is an opt-out. I suggest you use it and stop worrying.
 

emaw

Member
I would say so.

By default the only cookie that XF itself sets for guests is the xf_csrf cookie which is not tracking related but instead used for preventing cross-site request forgery attacks.

Implied consent for such cookies is acceptable.

In the notice you received, there is an opt-out. I suggest you use it and stop worrying.
Thanks Chris, I'll reply to the drive-by academics and let you know what they suggest,
I appreciate your taking time to reply about this
 

Chris D

XenForo developer
Staff member
Frankly, I'm not interested in what they suggest :)

There's no ill feeling against you for bringing it up, naturally, but the ongoing hysteria about cookies is ridiculous, tiresome and unnecessary. (At least in our case where cookies are functional or, in some cases, crucial for the functioning of the software at all).
 

deslocotoco

Well-known member
This cookies craziness is a paranoid nut job by our legislators.

As a lawyer, with one of my specializations in digital law, our GDPR is a copy-paste from the original GDPR (and Google translated, i swear. Is the same thing), but is not so restrictive about cookies. By the law, i just have to provide a (very extensive btw) Privacy Policy and that's it.

But should be nice to give some more customization, opt-in/out, choose cookies, etc., and specially, change the way the cookies banner behave.

As we know my friends, basically every single one browser is coming with some script blocker by default, and almost every guest that enter in my page when they click "Accept" they are redirected to the login page: "You have to login to do that" - and then, drive my guest away.

So, my solution? Disable this banner.

There is another solution for this, Chris? Or is better disable the banner?
 

emaw

Member
Frankly, I'm not interested in what they suggest :)

There's no ill feeling against you for bringing it up, naturally, but the ongoing hysteria about cookies is ridiculous, tiresome and unnecessary. (At least in our case where cookies are functional or, in some cases, crucial for the functioning of the software at all).
I'm interested to the extent that it is about users' choices whether to be tracked by the likes of Google or not, which i think is a valid concern, and represents good customer care on the part of forum operators.
I don't subscribe to "hysteria" :)
 

Pardal

Active member
Frankly, I'm not interested in what they suggest :)

There's no ill feeling against you for bringing it up, naturally, but the ongoing hysteria about cookies is ridiculous, tiresome and unnecessary. (At least in our case where cookies are functional or, in some cases, crucial for the functioning of the software at all).

I understand that you will be interested in xenforo users in Europe being concerned about European law and worrying about not receiving a fine.

If in a short space of time I cannot resolve the issue, I will look for other software that I can work with.
 

Chris D

XenForo developer
Staff member
What is the "issue"?

Guests only receive a cookie by default that is actually required for the software to function. Implied consent for this is adequate and is compatible with GDPR and other similar data protection regulations around the world.
 

Pardal

Active member
Sorry, I am talking about the choice of individual cookies that can comply with the current law in Europe.

I can't find anything to read that the owners of Xenforo care and intend to include it in an update, which gives me to understand that they are not in the least concerned about customers in Europe and that we are looking for our lives.
 

Chris D

XenForo developer
Staff member
The software is GDPR compliant already so while this feature may be considered in the future, and may be considered useful to some (all over the world) for more granular control, there's no compelling legal reason to add it at this time.
 

nocte

Well-known member
Regarding privacy policy:
They could make one that's GDPR compliant though. That's not too much to ask is it?
No, they can not. A privacy policy does not only describe what data is collected, but also what you (as site owner) do with it. XF staff cannot know the latter.

But I agree, that XF should be more compliant with GDPR out of the box and I upvoted this suggestion as well.
 

FTL

Well-known member
Regarding privacy policy:

No, they can not. A privacy policy does not only describe what data is collected, but also what you (as site owner) do with it. XF staff cannot know the latter.

But I agree, that XF should be more compliant with GDPR out of the box and I upvoted this suggestion as well.
Duh! Good point. Legalities really aren't my strong point lol. Techy stuff is another matter...
 

Kirby

Well-known member
By default the only cookie that XF itself sets for guests is the xf_csrf cookie which is not tracking related but instead used for preventing cross-site request forgery attacks.
What about cookie xf_from_search?
This does get set for guests visiting through search engines to track that they visited through a search engine without getting consent from the user to set this cookie.

The software is GDPR compliant already
We got legal advice from our data protection officer that this is not the case (depending on which features are being used):

  • It is not compliant for visitors visting the forum through a search engine (see abovce)
  • It is not compliant if Google Analytics is being used, as GA does set cookies to track the user without the user being able to explicitly accept or deny this
  • Is is not complianet if various social media content (YouTubeVideos, Facebook posts, etc.) is embedded in posts as the providers do set cookies without the user being able to explicitly accept or deny this
  • It is not compliant if various Anti-Spam services (like Google ReCaptcha, StopForumSpam, Akismet, etc.) are being used as those services do process personal data (IP addresses, email addresses, etc.) without visitors being able to explicitly accept or deny this
  • It is not compliant if external content (Images, Giphy, etc.) is being loaded as the external services do process personal user data (IP address) without the visitor being able to explicitly accept or deny this
  • It is not compliant if gravatar is enabled as Gravatar would process personal data (IP address.) of visitors without being able to explicitly accept or deny this
  • It is not compliant if a user executes certain functions (like staying logged in, switching style as a guest, switching language as a guest or using a smilie via the smilie menu) as those functions do set "performance cookies" (eg. cookies that are not technically required for the website/service to operate but are necessary tp provide comfort functions) without the visitor being able to explicitly accept or deny this.
  • It is not compliant if a valid IP information URL is configured as personal user data (IP address) would be submitted to an external service without the user being able to expelcility accept or deny this

Due to this, we had to implement code to block all those features / cookies untikl the visitor has given explicit consent to use them.
 

Kirby

Well-known member
Which code? and where did you find it?!
It's a few hundred lines of code (JS, PHP, CSS, HTML, ...) in our own "Legal" Add-on (that is and won't ever be available for others).
I didn't "find" this code anywhere, as I posted we had to implement this ourself.
 
Top