Implemented Update Cookie Banner compliant to GDPR

markoroots

Well-known member
Hi there I want propose the implementation of the Cookie Banner to be compliant to the GDPR law we have in Europe.

Right now the banner have only the possibility to click on "Accept" and this is not accordant with the law we have here about the privacy policy.
To be legal here, that banner must show all the cookies used and let the possibility to the users to accept or not the use of these.
Is it also possible to show as mandatory some "Necessary Cookies" to make turn good the site, but the users can decide to accept these, or go out of the site, the third party cookies instead can be accept or not, by just selecting the options "yes" or "no".

So would be really important for us to have the right options to let us set the banner to be law compliant.
This need:
  • a button that show all the cookies are used
  • the options/buttons to accept them or refuse
  • possibility to set use all and refuse all, or some of them
  • show what are the strictly necessary cookies to access the site
  • give them the possibility to accept only the "Necessary" that must be explained for what are used for and refuse the others (third part)

This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.
 
Last edited:
Upvote 40
This suggestion has been implemented. Votes are no longer accepted.

emaw

Member
It's a few hundred lines of code (JS, PHP, CSS, HTML, ...) in our own "Legal" Add-on (that is and won't ever be available for others).
I didn't "find" this code anywhere, as I posted we had to implement this ourself.
Sounds great, I wish it could be available for forums without resources like a DPO and coders!
 

emaw

Member
I've got a free report from https://www.cookiebot.com/ which lists a bunch of 3rd party cookies from youtube and GA, but also the following 4 cookies which i guess are XF core(?) and are set before the user can consent.
  • xf___crossTab
  • xf_cacheKey
  • xf_csrf
  • xf_visitorCounts
Is that correct?
 

emaw

Member
I've got a free report from https://www.cookiebot.com/ which lists a bunch of 3rd party cookies from youtube and GA, but also the following 4 cookies which i guess are XF core(?) and are set before the user can consent.
  • xf___crossTab
  • xf_cacheKey
  • xf_csrf
  • xf_visitorCounts
Is that correct?
I should add that the report lists those 4 cookies as "Purpose description: Unclassified" - I guess that if they should be classified as "necessary" then these alerts would be false positives that could be averted by correctly listing the cookie purposes?
 

Kirby

Well-known member
Sounds great, I wish it could be available for forums without resources like a DPO and coders!
IANAL:
Many forums that fall under GDPR regulation would need a DPO anyway (-> Art. 37 (1) b GDPR).

  • xf___crossTab
  • xf_visitorCounts
From a technical point of view, those are not cookies - they are local storage objects, eg. they are not sent back to the server.

From a legal point of view though it doesn't make any difference if data stored on a client is a "cookie" or a "local/session storage object" - it may only be stored if it is technically required ("Strictly necessary", in case of XenForo this would be cookies xf_csrf and xf_session for normal users plus xf_session_admin or Admins).

To simplify this, tools like Cookiebot do call all data stored on user devices "Cookies".
 
Last edited:

emaw

Member
Thank you @Kirby

Fwiw XF support confirm that
For a default installation the only cookies which are served for a guest are:
  • _csrf
  • _session
though not whether they are "necessary or not". It seems like XF just doesn't list cookies' "Purposes" in a way that satisfies these checks?
 

Brogan

XenForo moderator
Staff member
  • _csrf
    • Stores a token, unique to you, which is used to verify that the actions you perform on this site were intended to be performed by you.
  • _session
    • Stores the current ID of your session.
 

Kirby

Well-known member
Not offical but a good start
 

markoroots

Well-known member
but the ongoing hysteria about cookies is ridiculous

@Chris D this is not hysteria, but are regulations that we (all that live in Europe, that aren't some users as you say in an other post) "must" be compliant. Some of us are also receiving alerts from officiers of our Goverments because the software we are using is not GDPR compliant, also for that many users here claim a solution for the same problem.
This is what is needed to be GDPR compliant and until now there aren't these functions, that can be added from you with a simple script that can fix the situation.

We got legal advice from our data protection officer that this is not the case (depending on which features are being used):

  • It is not compliant for visitors visting the forum through a search engine (see abovce)
  • It is not compliant if Google Analytics is being used, as GA does set cookies to track the user without the user being able to explicitly accept or deny this
  • Is is not complianet if various social media content (YouTubeVideos, Facebook posts, etc.) is embedded in posts as the providers do set cookies without the user being able to explicitly accept or deny this
  • It is not compliant if various Anti-Spam services (like Google ReCaptcha, StopForumSpam, Akismet, etc.) are being used as those services do process personal data (IP addresses, email addresses, etc.) without visitors being able to explicitly accept or deny this
  • It is not compliant if external content (Images, Giphy, etc.) is being loaded as the external services do process personal user data (IP address) without the visitor being able to explicitly accept or deny this
  • It is not compliant if gravatar is enabled as Gravatar would process personal data (IP address.) of visitors without being able to explicitly accept or deny this
  • It is not compliant if a user executes certain functions (like staying logged in, switching style as a guest, switching language as a guest or using a smilie via the smilie menu) as those functions do set "performance cookies" (eg. cookies that are not technically required for the website/service to operate but are necessary tp provide comfort functions) without the visitor being able to explicitly accept or deny this.
  • It is not compliant if a valid IP information URL is configured as personal user data (IP address) would be submitted to an external service without the user being able to expelcility accept or deny this

Then all the "storage" activity of the users on a client, is considered from our law, as cookie, because track/store the user activities. So each storage function must be explained in the cookie banner and let the users accept or reject "each" of these "function/storage/cookie" are used, also if you can set some of these as "necessary" but these are not all those used, as the ones of Analytics, etc, that shuold be adviced in the banner, giving to the user the possibility to activate or deactivate them. And this the XF cookie banner doesn't give the possibility to do that, so it's simply not compliant with GDPR regulation.

In each way I'm paying a developer to add this function, seeing that here it seems that the problem is only on our dreams. But as shown from many users now, also in many threads in Xenforo about it, it isn't.
 
Last edited:

markoroots

Well-known member
Anyway, if you need, after months of research I have finally found this that seems the best I saw "For Free":




Is not simple to install it but seems the one we need, with also a good layout (really important too).
We are trying to install this, to solve the problem.
 

Kirby

Well-known member

Kirby

Well-known member
A TCFv2 compliant CMP must be registered with IAB:
 

Kirby

Well-known member
That centence means that there might be registerred CMPs that are not compliant and thus not shown on the list.

Any compliant CMP must be registered with IAB (as the CMP ID is part of the TC string), but that does not necessarily mean than every registered CMP is actually compliant.
 
Top