Implemented Update Cookie Banner compliant to GDPR

markoroots

Well-known member
Hi there I want propose the implementation of the Cookie Banner to be compliant to the GDPR law we have in Europe.

Right now the banner have only the possibility to click on "Accept" and this is not accordant with the law we have here about the privacy policy.
To be legal here, that banner must show all the cookies used and let the possibility to the users to accept or not the use of these.
Is it also possible to show as mandatory some "Necessary Cookies" to make turn good the site, but the users can decide to accept these, or go out of the site, the third party cookies instead can be accept or not, by just selecting the options "yes" or "no".

So would be really important for us to have the right options to let us set the banner to be law compliant.
This need:
  • a button that show all the cookies are used
  • the options/buttons to accept them or refuse
  • possibility to set use all and refuse all, or some of them
  • show what are the strictly necessary cookies to access the site
  • give them the possibility to accept only the "Necessary" that must be explained for what are used for and refuse the others (third part)

This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.
 
Last edited:
Upvote 40
This suggestion has been implemented. Votes are no longer accepted.
I was talking to two different lawyers, because one of them is specialised in european law and the other one in privacy and data law.
Good. And you've presented their written advice to Xenforo? Not your version of something they said, but their actual written words. Because legal advice heard second hand is often missing things that Xenforo would need to get this right.

Sorry if I am being a bit of prick about this but I work in a corporate world where anything legal has to be in writing. Xenforo is likely the same.
 
No I didn’t, was the questioning here mostly ignored? Yes

Did I want to make a big trouble out of the thing? No

The issue is, that I see now, that concern of users are not taken seriously and this brought me to the point of stopping to work with the software.

About the money and refund:
I don’t really care about the money, we can donate it too, but I don’t really like to pay for something that didn’t do it’s job, because of fatal known! Issues.
 
I see a few unhappy users, which is not the same as "concern of users are not taken seriously". Xenforo likely has reason to believe that they have taken appropriate action when they did the GDPR updates a few years back, maybe even their own legal advice to that effect. Keep in mind that not all Xenforo users fall under GDPR and that the platform can be extended and customized in ways that would probably meet the requirements of some countries. Certainly, there's no issue with current Canadian privacy law though, admittedly, that's a very low bar. Our privacy laws are nowhere near as rigorous as GDPR and the last attempt to update them to something more like GDPR died due to an election being called.
 
We maintain a reasonable refund policy. Unfortunately, spurious claims of "awful" support and three years since the date of purchase would not be considered reasonable in this case, as I will confirm in response to your ticket shortly.
I've been using XF successfully for over a year and it's still running my forum really well right now so I demand a refund!!! :p
 
I see a few unhappy users, which is not the same as "concern of users are not taken seriously". Xenforo likely has reason to believe that they have taken appropriate action when they did the GDPR updates a few years back, maybe even their own legal advice to that effect.

We took a lot of advice from the UK Information Commissioners Office in relation to this and I personally was on the phone to them (sometimes multiple times a day) for specific clarity on specific points.

It does not help as well that most bodies involved in "policing" this issue will only offer "guidance" rather than a hard and fast rule, that is because they themselves often do not know the answers until it gets tried in court. Laywers take this even further on the alarmist-scale to keep themselves in a job, and I will state that Chris' use of the word hysteria from this particular group is accurate. I have yet to hear of any site being outright slapped with any sort of fine without first being contacted by the relevant body and ask them to make changes. Nobody is going to be waking up to a letter in the post stating they've been nailed for £100k.

I can see also some clarifications on Analytic cookies and the types of consent may need us to take a different approach on this part.

Fortunately the UK has already realized what an absolute mess all this is and will hopefully lead the way in bringing in new legislation to clean it all up.


Invision claim full GDPR compliance nowadays as well,

Out of curiosity I loaded their forums up, and I was not presented with ANY information at all relating to cookies or consent, despite a dozen or so being set on my browser.
 
I also personally think a new web standard needs to be created to better handle this for all parties, where on loading a page (or site) with cookies a file is sent with all the information needed and this is handled at the browser level where a user can be given all the relevant information and management of them in a standardized way that becomes familiar, easy to manage and more informative for the end user. That way even 3rd party providers like analytics means the website owner can "pass thru" the information to the browser and not get caught out.
 
We took a lot of advice from the UK Information Commissioners Office in relation to this and I personally was on the phone to them (sometimes multiple times a day) for specific clarity on specific points.

It does not help as well that most bodies involved in "policing" this issue will only offer "guidance" rather than a hard and fast rule, that is because they themselves often do not know the answers until it gets tried in court. Laywers take this even further on the alarmist-scale to keep themselves in a job, and I will state that Chris' use of the word hysteria from this particular group is accurate. I have yet to hear of any site being outright slapped with any sort of fine without first being contacted by the relevant body and ask them to make changes. Nobody is going to be waking up to a letter in the post stating they've been nailed for £100k.

I can see also some clarifications on Analytic cookies and the types of consent may need us to take a different approach on this part.

Fortunately the UK has already realized what an absolute mess all this is and will hopefully lead the way in bringing in new legislation to clean it all up.
Thanks for that clarification and the effort you made, it does make me feel easier about getting hassled by the ICO

Out of curiosity I loaded their forums up, and I was not presented with ANY information at all relating to cookies or consent, despite a dozen or so being set on my browser.
Now, that's interesting.

I know that they claim full GDPR compliance as one of their product features. Perhaps it's not enabled for their product site? Whatever, while I have a license that I bought years ago, I'm not using their software and don't intend to.
 
I wonder how many forum owners are registered with the I.C.O ?

I know we are and as stated above I've yet to hear anything from them regarding falling foul of GDPR rules.
 
They claim lots of things, I left a month or so ago with 3 licenses due to their failings and costs, it certainly wasn't GDPR compliant (about similar to XF) when I left.....
I believe that. Life is good here at XF. The software is really slick.
 
Yes, I have been at 2 different lawyers, each one in 2017 and 2021. They were giving me pretty much the same answer, that these things are needed and should be implemented.

And no there is no lawsuit that is considering it yet, but until there is no lawsuit that says, that this is NOT the case, it is not a discussion.

It is something that absolutely needs to be addressed, so too does dark patterns which are not legal and my country's regulator is specifically going after them. And yes there is a precedent now here (that's not a forum, but note that the "best deal" is visible but that foreign company was fined for breach of local consumer law due in part to the use of a dark pattern - see labelled screenshot). Some people on discord were arguing with me that we can't fine foreign companies - we absolutely can and the watershed case on this was ACCC v Valve. You can read the court orders and ruling here as well as the the judgment. If you haven't read it before it's a very entertaining read for a court document, Valve didn't obtain legal advice before telling their customers they weren't entitled to their rights when they were (from paragraph 39 on in the Orders). "Valve made the argument that 'we're based overseas so the law doesn't apply' but the law does apply" is a theme throughout the ruling as well. Paragraph 48: "I do not consider that the issues concerning the application of the Australian Consumer Law to overseas corporations in Valve’s position were so clear that, despite the absence of any determinative judgment on the point, overseas corporations must have known that they were subject to local law. ..." Oh what do you know, the rule of law applies no matter where you're based and enforcement can be taken. That doesn't just go for consumer law, but also for business and competition law (it's the one very well resourced regulator so good luck making an opposing argument - the judge will simply say "the law applies").

In terms of GDPR & Cookies with forums - you need to do these things:
  1. You need to separate essential cookies from non-essential, and really you shouldn't need non-essential cookies unless its for third-party use such as advertisers. The only thing that a forum needs to store in a cookie is login information, and that's it. Per device settings is something that can be stored in cookies, but would require affirmative consent under GDPR.
  2. You need a clear privacy policy (and cookie use explained there).
  3. If you're only using essential cookies you don't need a banner - the privacy policy is enough but you need a way to put a link to it in sign-up/log-in forms and ideally a check-box next to it saying "I accept".
  4. You need a way to clear all cookies with one-click. If "Log Out" does this then fine, if not you need to make a link and put in the page. It must also remove 3rd-party cookies.
  5. Finally if you need to use a "cookie banner" you cannot use a dark pattern designed to trick users into selecting options that may not be in their best interests. That means you absolutely cannot highlight "Accept All" over "Refuse All" for example.
Very few websites do this right as it is. Having your forum software not provide you with the right framework is an issue that most forum apps will have to address (Flarum included).

You don't have to like the law, but you do need to abide by it or exclude people from the country where you're breaking their laws.

I'm a bit tired of the forums lately, I'm going to give myself some time before starting over with something, Flarum seems interesting to me but as I say I need some time to recharge my batteries, I had become very obsessed with Xenforo but there are times when we have to give a step back and see everything with perspective. hug everyone

Come join the Flarum community if you like. That's not an attempt to be in competition with xF or anything, I see their software as very different and catering to a different market compared with xF.

Laywers take this even further on the alarmist-scale to keep themselves in a job

If that's your reaction to written legal advice you received I'd be quite concerned. "Doctors keep people sick to keep themselves in business". "Mechanics keep your car in bad condition to keep themselves in business". Or how about "Rack911 Labs sent us an alarmist security audit to keep themselves in business". etc. (For those who don't get the reference Rack911 is very well known and highly respected within the cyber-security/server-hardening space). There's bad apples in any profession doesn't mean you can ignore clear legal advice because you think it's "alarmist". I like my doctor and I like my mechanic (who I just had a 30 minute chat with following a service going over a few things). If I had a lawyer I would like to like them. Precedents have been set now. Here's some free published legal advice on Dark Patterns, scroll down to the end and read the last three paragraphs for the tj;dr. Any regulation here has the ability to reshape the entire internet (although unlike GDPR it will make it less annoying because dark patterns) the regulator is very well resourced with a lot of power, and the laws are as water-tight as anything. The Trivago ruling is the precedent (well on Dark Patterns, the Valve case is the precedent that shows foreign companies that do business here including 100% online must follow our laws), and if a company had no assets in Australia and were uncooperative, and you wanted to pursue enforcement you could seek relief through things like issuing a court order to a payment processor to withhold funds to the value of the damages (that's very common in these things) or from advertising networks like Google (who themselves just lost a local defamation lawsuit this week). Oh and to demonstrate how dumb Google LLC is, they literally didn't defend the defamation lawsuit once it got to trial, they withdrew every single defence that they were claiming they were going to take to trial so that trial was only about the damages they had to pay and nothing else.

I'm not a lawyer however my mind does have a legalistic way of thinking, and I think it's very bad advise to say you shouldn't listen to your legal advice IMO. If you're not happy with it, get another opinion from a better firm.
 
Last edited:
This cookies craziness brought to you by the fellow (non elected) members of European Union.

Is just a piece of txt file for God’s sake, but need some kind of bizarre regulation.

I hope all Europe follow the steps of the Britons.
 
Is just a piece of txt file for God’s sake, but need some kind of bizarre regulation.
The problem is how some bad, or at least less ethical, actors have used them, creating the perception in the public and political spheres that they are a terrible thing. E.g. tracking third party cookies. However, with current cookie controls in browsers, users do have some power over those now so not sure how effective legislation is vs. education on how to set your browser securely (and maybe pressuring browser makers into making "Block third party cookies", as it is called in Chrome, the default).
 
This cookies craziness brought to you by the fellow (non elected) members of European Union.

Is just a piece of txt file for God’s sake, but need some kind of bizarre regulation.

I hope all Europe follow the steps of the Britons.
They are actually elected.
 
Not all then.

People always forget the bureaucrats behind the spotlight.
But that's no different from any other parliamentary system. Politicians set broad direction and approve laws but it is bureaucrats who draft regulations under those laws and figure out how to implement the laws and regulations. Canada's government works that way, as do our provincial governments. So how is the EU different?
 
This cookies craziness brought to you by the fellow (non elected) members of European Union.

Look I feel you with EU (they are dumb) but GDPR is not unworkable at all. So I would really like to hear from @Slavik as to why they think their legal advice is "alarmist-scale to keep themselves in a job" and IF that's the case why they didn't get a second opinion (what we're talking about here is way less than what a proper security audit costs to put it into perspective).
 
Look I feel you with EU (they are dumb) but GDPR is not unworkable at all. So I would really like to hear from @Slavik as to why they think their legal advice is "alarmist-scale to keep themselves in a job" and IF that's the case why they didn't get a second opinion (what we're talking about here is way less than what a proper security audit costs to put it into perspective).

Yes me too ,and i would love to see any of the "written" legal info from XF or customers about this.

It's incredibly frustrating and unprofessional of XF to ignore this issue which is very clear as far as the legals are concerned - GDPR compliance is a requirement for websites in EU (& UK), regardless of what you, or I, or XF think about GDPR, Brexit, bureaucrats or cookies.

It's a shame that without any useful input from XF this thread has descended into stupidity when this is a serious issue that needs to be resolved.
 
Last edited:
It would be very helpful if we could get any substantive info from XF

for example:
  • what technical solution XF would propose to the issue that we have identified (or whether the issue is still not clear to them)?
  • whether there are technical issues that are preventing them from sorting this out? it might be helpful to open up that conversation to the community as there are lots of technically and legally experienced people on here who might be able to assist.
  • whether there is any prospect of XF working on this issue, if so, what's the delay and is there any way to escalate or encourage them to prioritise this in the issues queue,
  • since @ChrisD has made it clear that they are not interested, is there any way to challenge/appeal that "decision"/position with XF. By not engaging with us on this matter, XF are also not allowing us to hold them responsible for this failure of their software.
  • are XF having some sort of a crisis? it's beginning to feel a bit weird that they are so neglecting this matter, or am i missing something here - is there another version due that will have this functionality that they want us to buy instead or something???
 
Back
Top Bottom