Implemented Update Cookie Banner compliant to GDPR

markoroots

Well-known member
Hi there I want propose the implementation of the Cookie Banner to be compliant to the GDPR law we have in Europe.

Right now the banner have only the possibility to click on "Accept" and this is not accordant with the law we have here about the privacy policy.
To be legal here, that banner must show all the cookies used and let the possibility to the users to accept or not the use of these.
Is it also possible to show as mandatory some "Necessary Cookies" to make turn good the site, but the users can decide to accept these, or go out of the site, the third party cookies instead can be accept or not, by just selecting the options "yes" or "no".

So would be really important for us to have the right options to let us set the banner to be law compliant.
This need:
  • a button that show all the cookies are used
  • the options/buttons to accept them or refuse
  • possibility to set use all and refuse all, or some of them
  • show what are the strictly necessary cookies to access the site
  • give them the possibility to accept only the "Necessary" that must be explained for what are used for and refuse the others (third part)

This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.
 
Last edited:
Upvote 40
This suggestion has been implemented. Votes are no longer accepted.
If I was going to implement an Add-on that allows service-specific consent (eg. allow YouTube but disallow Twitter) - how could I do that without having to touch every single place (that I might not even know about) where the services are used?
This feedback has been noted and is under consideration.

This thread is fine currently as it pertains to what has been implemented.

After release, feedback may be better as further suggestions and of course bug reports.
 
My feedback is, it is too large on the bottom when it pops up. Is there any way to make it more horizontal? It might scare users off right off the bat since it looks like a massive control panel with a bunch of switches. Maybe the buttons laid out more horizontal than vertical position?
 
I'll most likely have to take a look at the code to see what is already possible to give feedback.
Being able to easily integrate with existing CMP (eg. TCFv2) seems to be the most important issue (for me).

I hope you'll release an addon to be compliant with GDPR. So we can ditch 3rd party solutions and have the cookie handled "in house". Really looking forward to it.
 
It would be great if a user could choose being tracked or not and that it would result in (for example) default Google Ads or Google Limited Ads.
 
in other words... you did NOT get a notification of cookies from ImgUr (which I am pretty sure they send).
No, I think not. As I understand it, the image that you shared was proxied by the XF site, and therefore served directly by the XF site to your/my browser. In other words, there was no connection from the browser of someone reading this thread to the imgur site and thus no need for any cookie alert, unless I'm very confused. (Try right-clicking on the image and opening it in a new tab for example.)
 
I also feel that there are waay to many "necessary" cookies, for example xf_notice_dismiss or xf_lbSidebarDisabled.
You may be right about there being too many cookies flagged as necessary, but to be fair, are any of them actually problematic? The two that you've chosen to mention are so innocuous that I can't imagine anyone being concerned about them, if they are actually willing to use a given forum in the first place.
 
No, I think not. As I understand it, the image that you shared was proxied by the XF site, and therefore served directly by the XF site to your/my browser. In other words, there was no connection from the browser of someone reading this thread to the imgur site and thus no need for any cookie alert, unless I'm very confused. (Try right-clicking on the image and opening it in a new tab for example.)
Not everyone uses the proxy system... THAT really what I was pointing out. So, for those that do NOT use the proxy... you desire that some way, XF figure out the cookie policy and what cookie is provided by every service that has a link to their site posted in a discussion thread or media gallery?
 
Not everyone uses the proxy system... THAT really what I was pointing out. So, for those that do NOT use the proxy... you desire that some way, XF figure out the cookie policy and what cookie is provided by every service that has a link to their site posted in a discussion thread or media gallery?
I've probably missed the point (perhaps it's discussed above) but I had kinda been assuming that XF treated every external link as needing third-party cookie permission. Is that not how it's working?
 
I've probably missed the point (perhaps it's discussed above) but I had kinda been assuming that XF treated every external link as needing third-party cookie permission. Is that not how it's working?
The point I'm relating to his this
Just binding this to a single "3rd party Consent" ist not sufficient (acccording to the advice we got from German authorities).
While it is somewhat understandable that XenForo might not be willing to go "that far", it would be tremendously useful if it was possible for 3rd Party Add-ons to hook in and tie this to existing CMP solutions.
From what it sounds like, Germany wants the users to be able to select EVERY cookie that is presented/used?
So if one links to third party sites (either via an image or even a URL) it would stand to reason that you, as an admin, have to offer ALL data on cookies/tracking present from those third party sites.
 
Possibly, but that wasn't quite how I understood it.
From my understanding, that's what 3rd party consent consists of... YOUR site asks for a generic consent to any outside service cookies presented by your site. Specific third party consent would require knowledge of every cookie that can be presented when viewing the site, whether by a URL link or image. There are some cookies that are used directly by the XF software.... either through Google analyticc/ads, any captcha used, etc. It's those other third party cookies that might be presented (and I don't know that they necessarily are) that I question.
 
Specific third party consent would require knowledge of every cookie that can be presented when viewing the site, whether by a URL link or image.
Well, I'm not saying that the law in question doesn't say that, but that requirement would be plainly ridiculous and (IANAL!) would be certain to fail at the first test, so I'm gonna guess that either it doesn't say that or it shouldn't say that :)
 
Well, I'm not saying that the law in question doesn't say that, but that requirement would be plainly ridiculous and (IANAL!) would be certain to fail at the first test, so I'm gonna guess that either it doesn't say that or it shouldn't say that :)
And here we agree... ;)
My point was that certain jurisdictions seem to trend to go overboard with requirements... and it's not limited to the EU. I could give you a laundry list of "stupid" laws/rules that were enacted that when it came time to implement showed how idiotic they were.
 
In Germany setting a link to an external site (without including any of its content), can get you in trouble, but this has nothing directly to do with Cookies or GDPR. In fact you are not allowed to link to a site with illegal content in any way, if that is or could be obvious to you, as the one who sets the link.
 
HTML:
 <xf:if is="$xf.cookieConsent.isThirdPartyConsented() && $xf.options.googleAnalyticsWebPropertyId">
After thinking a bit about this and testing xenforo.com behaviour:
As far as I can see for now, the HTML is different wether there is Consent for 3rd Party (or not)

How does this change affect Guest Page Caching or other downstream caches like Lite Speed Cache?

Another thing I've noticed:
When saving the setting, XenForo seems to show a popup message that the user choice has been saved and afterwards reloads the page.
This bahaviour seems pretty uncommon (I think I've yet seen any website that show the user a message that privacy preferences have been saved or that reloads the page).

IMHO this has several significant drawbacks
  • Unsubmitted form input (like on the advanced search or the registration form) does get lost
  • Depending on the browser the scoll position might get lost
  • The page does get loaded twice, this doubles the traffic for the HTML
  • As the page is loaded twice this significantly reduces time to interaction on first visit especially on a (slow) mobile connection
Instead of realoading the page (to change HTML) 3rd party content should be loaded inline after consent has been given (without showing a notitice that the preference was saved).

Furthermore, the consent screen is even shown on pages like Help / Cookie usage, Help / Terms and rules and Help / Privacy policy - I think the user shoudn't "have" to make e decision just to be able to fully view those (legally required) information pages and thus those pages should be excempted.

If third party cookies are not consented [...] it largely affects CAPTCHA providers
As Turnstile (which is used by xenforo.com) doesn't seem to be affected:
What would be the behaviour if an affected CAPTCHA was used and a user attempting to register rejects 3rd parties - would he still be able to register or effectively be forced to accept all 3rd parties?
(The latter would be problematic => GDPR Art. 7 paragraph 4).
 
Top Bottom