Implemented Update Cookie Banner compliant to GDPR

[markoroots]

Hi there I want propose the implementation of the Cookie Banner to be compliant to the GDPR law we have in Europe.

Right now the banner have only the possibility to click on "Accept" and this is not accordant with the law we have here about the privacy policy.
To be legal here, that banner must show all the cookies used and let the possibility to the users to accept or not the use of these.
Is it also possible to show as mandatory some "Necessary Cookies" to make turn good the site, but the users can decide to accept these, or go out of the site, the third party cookies instead can be accept or not, by just selecting the options "yes" or "no".

So would be really important for us to have the right options to let us set the banner to be law compliant.
This need:

• a button that show all the cookies are used
• the options/buttons to accept them or refuse
• possibility to set use all and refuse all, or some of them
• show what are the strictly necessary cookies to access the site
• give them the possibility to accept only the "Necessary" that must be explained for what are used for and refuse the others (third part)

This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.

 

[AndrewSimm]

It is something that absolutely needs to be addressed, so too does dark patterns which are not legal and my country's regulator is specifically going after them. And yes there is a precedent now here (that's not a forum, but note that the "best deal" is visible but that foreign company was fined for breach of local consumer law due in part to the use of a dark pattern - see labelled screenshot). Some people on discord were arguing with me that we can't fine foreign companies - we absolutely can and the watershed case on this was ACCC v Valve. You can read the court orders and ruling here as well as the the judgment. If you haven't read it before it's a very entertaining read for a court document, Valve didn't obtain legal advice before telling their customers they weren't entitled to their rights when they were (from paragraph 39 on in the Orders). "Valve made the argument that 'we're based overseas so the law doesn't apply' but the law does apply" is a theme throughout the ruling as well. Paragraph 48: "I do not consider that the issues concerning the application of the Australian Consumer Law to overseas corporations in Valve’s position were so clear that, despite the absence of any determinative judgment on the point, overseas corporations must have known that they were subject to local law. ..." Oh what do you know, the rule of law applies no matter where you're based and enforcement can be taken. That doesn't just go for consumer law, but also for business and competition law (it's the one very well resourced regulator so good luck making an opposing argument - the judge will simply say "the law applies").

None of these cases have anything to do with GPDR. I don't think anyone is arguing that if you do business in a country that you have to follow its laws. If you could kindly link a GDPR settled case in your country then we could perhaps evaluate your claim.

 

[emaw]

None of these cases have anything to do with GPDR. I don't think anyone is arguing that if you do business in a country that you have to follow its laws. If you could kindly link a GDPR settled case in your country then we could perhaps evaluate your claim.

It's not really helpful to be debating GDPR here, it would be helpful if XF would respond to some of the questions about implementing this request, please @XenForo ?

 

[AndrewSimm]

It's not really helpful to be debating GDPR here, it would be helpful if XF would respond to some of the questions about implementing this request, please @XenForo ?

I am not debating, I only pointed out that said user's examples were not GDPR related. I am asking for someone to post a settled case so the facts would be known. At this point, you have a bunch of users posting opinions and claims. It easy for anyone to say they spoke with a lawyer and got certain advice but posting some type of proof of their claim is what is needed.

 

[Arantor]

Given that XF Ltd is based in a country bound by a version of the GDPR, and XF Ltd have indicated on multiple occasions that they sought legal advice, perhaps they feel that what is implemented is adequate for the uses that XF Ltd itself uses its software for... just a thought.

 

[emaw]

Given that XF Ltd is based in a country bound by a version of the GDPR, and XF Ltd have indicated on multiple occasions that they sought legal advice, perhaps they feel that what is implemented is adequate for the uses that XF Ltd itself uses its software for... just a thought.

It would be really good to have some reassurance about that from XF

 

[Arantor]

Here’s the thing. The vendor does not owe you anything. The wording of the GDPR makes it clear that it is the data controller’s responsibility to work out if they are compliant, and vendors are encouraged to help with this but unless the vendor is selling you something “guaranteed compliant”, they’re giving you tools out of the box that may or may not fit your situation.

The reason this is complicated is because it’s dependent heavily on what you do with your forum. If you are selling products, you will likely be collecting additional data vs someone who is just using ads + analytics, vs someone who is doing none of the above.

It is my understanding that the base offering of XF is broadly compliant out of the box with the simplest use case, and the more things you do, the more you might have to add wording to the agreement etc.

I also don’t think you will get the clarity you are hoping for because to do so is legally precarious. If XF makes a statement saying the platform is “fully ready for GDPR” or some such, any customer of XF Ltd who implements it incorrectly might try to make XF Ltd liable for misrepresentation or similar. That’s why the slightly odd wording of statements by folks like Slavik, to legally protect XF Ltd against being held responsible for something it is not.

You buy the software, it has xyz list of features. It is NOT legally XF Ltd’s responsibility to ensure that it complies with your requirements. It is your legal responsibility to do so, especially as your requirements are not the same as others’.

Does that absolve XF Ltd of responsibility? Legally, yes. They have no requirement to provide anything related to GDPR exceot for what they do on their own site. However, a forum software that doesn’t help the admin out is likely to be passed over in future consideration for just that reason, because no one wants to build that themselves when there’s other platforms that will get them much further along, much more easily. It becomes a competitive disadvantage if not provided.

 

[webbouk]

Has any forum owner been prosecuted for breaches related to GDPR?

 

[Slavik]

Has any forum owner been prosecuted for breaches related to GDPR?

As far as I am aware, no.

However, in light of some recent changes on the GDPR front, we are looking into implementing a broader set of cookie controls for site owners to have the option to turn on or off.

Our current line of thought is to use a system similar to that of the ICO (https://ico.org.uk/)

We feel this is a good balance of being informative, simple to understand, whilst offering a degree of control that will allow sites to remain compliant with potential future changes without being massively overbearing for the end user.

As always with any XF system, if a particular country (im looking at you Germany) decides to turn the controls up to 11, a site will be able to extend it accordingly to their needs.

 

[webbouk]

If it's good enough for the ICO then it is good enough for us in my opinion.

I like your line of thought

 

[FTL]

That will be an important improvement and vindicates all those requests to improve XF in this area.

 

[emaw]

As far as I am aware, no.

However, in light of some recent changes on the GDPR front, we are looking into implementing a broader set of cookie controls for site owners to have the option to turn on or off.

Our current line of thought is to use a system similar to that of the ICO (https://ico.org.uk/)

We feel this is a good balance of being informative, simple to understand, whilst offering a degree of control that will allow sites to remain compliant with potential future changes without being massively overbearing for the end user.

As always with any XF system, if a particular country (im looking at you Germany) decides to turn the controls up to 11, a site will be able to extend it accordingly to their needs.

Hi @Slavik sorry not to respond sooner to say thank you for this update and express my appreciation to XF for working on this Good News!

 

[Chris D]

With thanks to @Jeremy P and some preliminary investigations by @Slavik we have a new solution being implemented in XenForo 2.2.12 which is live here now.

You will now be able to enable an "Advanced" cookie consent process in the admin control panel. This can also be set to "Simple" (same behaviour as 2.2.11 and below) or disabled.



When Advanced is enabled, a cookie consent banner will seek additional acceptance.


Cookies will no longer be written until explicitly accepted. The exception to this is "Necessary cookies" which are responsible for keeping a user logged in, for example.

The full list of cookies and local storage items we could set and how they are categorised are listed here: https://xenforo.com/community/help/cookies/

Some content, such as embedded content from third party sites, will not load until third party cookies are accepted.

 

[BassMan]

Just perfect. Can't wait to test it.

 

[emaw]

Thank you @Chris D , @Slavik, @Jeremy P - this looks great, just the ticket

 

[Jeremy P]

Just want to add that the system is a beta of sorts and, while we're probably not looking to make major changes, do let us know if you run into any issues. We appreciate any feedback.

Also it's worth noting that we don't attempt to scan for or block cookies unknown to the system at this time, so any add-ons or other customizations which may result in cookies being set will need to be adjusted to take advantage of it (but should otherwise continue working).

 

[Mendalla]

I will probably leave it on Simple until I get to check it out thoroughly myself in my dev, but this looks great at first blush. Thanks and kudos to the XF team.

 

[webbouk]

From a forum owner's viewpoint, what effect would one expect to see/experience from the selections available to users, I'm thinking more along the lines of the revenue aspect, analytics such as traffic reports, page loading speeds with regards to excluding third-party cookies, etc?

 

[Jeremy P]

If third party cookies are not consented, we don't load Google Analytics. Beyond that it largely affects CAPTCHA providers, payment providers, and media sites.

 

[Kirby]

Beyond that it largely affects CAPTCHA providers, payment providers, and media sites.

Hmm ... I tried to register after Reject All and the Cloudflare CAPTCHA was still loaded.
Is this the expected behaviour?

I would have thought that such 3rd party services would not be loaded unless I have given consent.

Furhtermore it seems like it is not possible to allow YouTube but deny Twitter (for example)?
I also feel that there are waay to many "necessary" cookies, for example xf_notice_dismiss or xf_lbSidebarDisabled.

The site works perfectly fine without those two cookies, so how cany they be necessary?
Granted, without those cookies some state (dismissed notice, etc.) is not rememberd, but that's not any different from used smilies not being remembered.

What's the difference that does make xf_emoji_usage optional?

IMHO & IANAL only those cookies that are really required (eg. xf_consent, xf_session, xf_csrf; maybe xf_inline_mod_* should be Required, all others must be Optional.

Is is possible for Add-on to easily tie into systems?
Any website that does run advertising under GDPR is more or less forced to use a TCFv2 compliant CMP anyway - having onther consent layer for XenForo doesn't make much sense (but the functionality to only load 3rd party content like Analytics, Embeds, etc after consent is still required).

 

[Jeremy P]

Hmm ... I tried to register after Reject All and the Cloudflare CAPTCHA was still loaded.
Is this the expected behaviour?

My understanding is that Cloudflare Turnstile does not set cookies or local storage data (and indeed it does not seem to in my testing). Using other CAPTCHA providers will result in a consent form being displayed prior.

Furhtermore it seems like it is not possible to allow YouTube but deny Twitter (for example)?

Yeah, third parties are currently all or nothing.

I also feel that there are waay to many "necessary" cookies, for example xf_notice_dismiss or xf_lbSidebarDisabled.

I'm not sure we'll be making any immediate changes, but there is certainly some room to inhibit certain functionality (notice dismissal, etc.) to make additional cookies optional.

Is is possible for Add-on to easily tie into systems?

It's easy for add-ons to create new cookie groups and register additional cookies with the consent system. The cookie consent object itself is extendable too, and we're open to feedback regarding how we can make the system more amenable to different needs.