Implemented Update Cookie Banner compliant to GDPR

markoroots

Well-known member
Hi there I want propose the implementation of the Cookie Banner to be compliant to the GDPR law we have in Europe.

Right now the banner have only the possibility to click on "Accept" and this is not accordant with the law we have here about the privacy policy.
To be legal here, that banner must show all the cookies used and let the possibility to the users to accept or not the use of these.
Is it also possible to show as mandatory some "Necessary Cookies" to make turn good the site, but the users can decide to accept these, or go out of the site, the third party cookies instead can be accept or not, by just selecting the options "yes" or "no".

So would be really important for us to have the right options to let us set the banner to be law compliant.
This need:
  • a button that show all the cookies are used
  • the options/buttons to accept them or refuse
  • possibility to set use all and refuse all, or some of them
  • show what are the strictly necessary cookies to access the site
  • give them the possibility to accept only the "Necessary" that must be explained for what are used for and refuse the others (third part)

This is necessary for us that live in Europe because the default cookie banner with the GDPR directive is became in this moment furthermore out of law and this is a big risk for us.
 
Last edited:
Upvote 40
This suggestion has been implemented. Votes are no longer accepted.
My understanding is that Cloudflare Turnstile does not set cookies or local storage data (and indeed it does not seem to in my testing). Using other CAPTCHA providers will result in a consent form being displayed prior.
That might well be the case.

Unfortunately under EU law transfer of PII (which includes the IP address) to the USA (which is most likely the case here?) must be consented - no matter if data is saved / accessed on the client or not.


Yeah, third parties are currently all or nothing.
This is unfortuantely not sufficient :(

I'm not sure we'll be making any immediate changes, but there is certainly some room to inhibit certain functionality (notice dismissal, etc.) to make additional cookies optional.
Ideally every cookie that is not absolutely needed to perform "basic" operations should be optional.

It's easy for add-ons to create new cookie groups and register additional cookies with the consent system. The cookie consent object itself is extendable too, and we're open to feedback regarding how we can make the system more amenable to different needs.
That's great :)

I'll most likely have to take a look at the code to see what is already possible to give feedback.
Being able to easily integrate with existing CMP (eg. TCFv2) seems to be the most important issue (for me).

It might also be worth to think about multiple device usage, having to set / change consent on every device as a logged in user seems tedious.
 
Unfortunately under EU law transfer of PII (which includes the IP address) to the USA (which is most likely the case here?) must be consented - no matter if data is saved / accessed on the client or not.

62018CJ0311

Just to be clear

We will not be going into the individual ins and outs of specific rulings or individual jurisdictions.

Our approach as always will be one of balance and perspective, and make the tools available so if you disagree with our interpretations and guidance we have received, then you are free to go to the n'th degree.
 
Personally, I think the more complex you make it the more likely you are to impact user experience to the point of driving visitors away. Don't forget many people still see cookies as the devil incarnate and fail to understand that the use of them is generally innocuous.
I think I'll keep ours 'simple' until instructed to do otherwise. We do have separate consent for advertising cookies which runs alongside the XF cookie consent notice.
 
Just curious, what about if you're running Matomo analytics? Will this new implementation block their cookies?
No, not automatically.

You need to modify the code or template accordingly.

This is what the start of the Google Analytics template looks like now:

HTML:
 <xf:if is="$xf.cookieConsent.isThirdPartyConsented() && $xf.options.googleAnalyticsWebPropertyId">
 
This is what the start of the Google Analytics template looks like now:

HTML:
 <xf:if is="$xf.cookieConsent.isThirdPartyConsented() && $xf.options.googleAnalyticsWebPropertyId">
This is problematic (at least for Germany, but most likely for everyone under GDPR):
As previously pointed out, users must be able to explicity consent which services they do want to allow and which ones not.

Just binding this to a single "3rd party Consent" ist not sufficient (acccording to the advice we got from German authorities).
While it is somewhat understandable that XenForo might not be willing to go "that far", it would be tremendously useful if it was possible for 3rd Party Add-ons to hook in and tie this to existing CMP solutions.

To to this it would be required to know for which service consent needs to be checked.
Could this be changed so method isThirdPartyConsented does get an required argument for the service, eg. smth. like

HTML:
<xf:if is="$xf.cookieConsent.isThirdPartyConsented('googleanalytics') && $xf.options.googleAnalyticsWebPropertyId">
<xf:if is="$xf.cookieConsent.isThirdPartyConsented('twitter')">
?

Assuming that the class can be extended via XFCP this would make it easy to extend the functionality to cover granular decisions while still allowing the current behaviour (by just not checking the service identifier).
 
Just binding this to a single "3rd party Consent" ist not sufficient (acccording to the advice we got from German authorities).
Well... looks like a good avenue for an add-on developer to extend it JUST for those "special" German admins.

And your question is a good one... to bad it will just suck more money out of those admins that have to comply with German GDPR modified compliance.

Honestly... where does it end? Will you have to eventually get permission to allow your data to flow through an ISP in Germany, that then flows to servers elsewhere, which then flow through proxies located throughout the world (and that change dynamically) based upon each point the data passes through? Oh, and get permission for each entity it passes through.
There is a name for that process.... it's called anal retentiveness.

Hey Germany... news flash... you don't like the way the rest of the world operates.. simply separate yourself from it on the internet, make sure ALL your citizens are nice and comfy and protected behind your firewall and ONLY allow communications out to the rest of the world through authorized portals that limit the exchange of data.....

Wait... that sounds sorta like China now, doesn't it?
 
Last edited:
This is problematic (at least for Germany, but most likely for everyone under GDPR):

This is a Germany specific issue.

Other countries take a much more sensible approach which is our implementation.

However as has been pointed out, addon devs are free to pick up the underlying system and extend it to your requirements. Everything is there to make it work.
 
This is a Germany specific issue.
We can agree to disagree :)

For example the EUCJ decision I linked above ("Schrems II") is EU ruling so it does affect everyone in the EU.

However as has been pointed out, addon devs are free to pick up the underlying system and extend it to your requirements. Everything is there to make it work.
If I was going to implement an Add-on that allows service-specific consent (eg. allow YouTube but disallow Twitter) - how could I do that without having to touch every single place (that I might not even know about) where the services are used?

Should this be discussed in the development discussions forum?
 
For example the EUCJ decision I linked above ("Schrems II") is EU ruling so it does affect everyone in the EU.
The question becomes... do they need to support the "most restrictive" aspects.. or support those that apply to their locale? Last time I checked, the UK jumped ship from the EU (for whatever reason). So, if those specific geographic regions are MORE strict than the rest of the world, to me it would be dependent upon those admins in those areas to pursue avenues that meet their "restrictive government" requirements.
Can it result in additional costs to those admins.. most likely. But guess what... yell loud enough and things may change.

As I said, where does it end. Will you have to accept/get permission for every step your link takes to reach it's origination. Sounds (honestly) to me like they are going just a tad overboard.
How the f*ck can I give you the cookie options on a site that a user links an image to when you don't know the site they link to?
Once more... too much of a nanny state with no actual thought of the implementation of what they "want". Are they going to start shipping out cash to those sites that have to expend additional funds to meet their "nanny" requirements? You simply target the majority... and unluckily the EU doesn't happen to be a majority of the world.

EU: 446.8 million million (2021 stats I found)
Germany: roughly 84 million
World: 7.837 billion (2021)

Guess where the concern and concentration will be (and rightly so)? If certain geographic areas are more restrictive than the rest of the world then it's those admins responsibility to make sure their sites comply with their jurisdictional requirements.. as for the rest of us... tough luck for your living in there, guess you gotta pay more to enjoy those benefits.

Does this p*ss some folks off... probably.
Do I care.. not at all. YOU are responsible for the government you get. If you want a restrictive (and make me safe daddy/mommy) one, then be prepared to pay the price for it.
 
Last edited:
An end user absolutely has the right to know what cookies are being set on their computers and also has to decline them. There is not much "nannying" about that.

With that being said, the current iteration is good enough for my understanding of the requirements of GDPR, it covers most (if not all) aspects of privacy issues and can be expanded further as outlined above. I am not a legal expert, but I am 100% sure xenForo as a company will have sought outside advice to ensure their own compliance as well as ours.

If you need further controls for your country, maybe that falls on you as the site administrator...?
 
An end user absolutely has the right to know what cookies are being set on their computers and also has to decline them. There is not much "nannying" about that.
Do you actually realize how "many" cookies that could involve? Your site has a post that links to another site that has an image.. YOU are now responsible for "warning" them of the cookies of that site your forum links to? Do you realize how actually idiotic that idea is?
Personally I believe only cookies that are DIRECTLY used on the site need to be "alerted" to.
As I said... where do you stop.... ANY site that a link is posted to on your forum may create a cookie. Are YOU responsible for warning YOUR users about EVERY cookie for EVERY link that is posted on your site? Are you going to have to get specific permissions for EVERY site your request passes through if they track it by any method?
Once more, the nanny state wants to intrude... meanwhile, we adults will continue to audit what "cookies" are allowed via our browsers.

There is an acronym for that.. SFS (for those wondering "so f***ing sorry").

You target what the MAJORITY of the world does.. not a minor (roughly maybe 10%) sub sect wants.
I'm sure that XF has determined what meets the requirements of what the MAJORITY of the world requires, and not what a small minority of its occupants want.

As I said, if you live in one of those restrictive environments.. bend over, grasp your ankles and enjoy the insertion... as you simply have allowed it to happen.

I really don't understand when it became the responsibility of others to "protect' one from their stupidity. Like any piece of equipment, you need to avail yourself of the knowledge of how to operate it. Being a dumbshit is no excuse.
I guess it falls back to the "least common denominator" theory... and WAY too many of our society is at the level of mushrooms.
 
Last edited:
Do you actually realize how "many" cookies that could involve? Your site has a post that links to another site that has an image.. YOU are now responsible for "warning" them of the cookies of that site your forum links to? Do you realize how actually idiotic that idea is?
Personally I believe only cookies that are DIRECTLY used on the site need to be "alerted" to.
As I said... where do you stop.... ANY site that a link is posted to on your forum may create a cookie. Are YOU responsible for warning YOUR users about EVERY cookie for EVERY link that is posted on your site? Are you going to have to get specific permissions for EVERY site your request passes through if they track it by any method?
Once more, the nanny state wants to intrude... meanwhile, we adults will continue to audit what "cookies" are allowed via our browsers.

There is an acronym for that.. SFS (for those wondering "so f***ing sorry").

You target what the MAJORITY of the world does.. not a minor (roughly maybe 10%) sub sect wants.
I'm sure that XF has determined what meets the requirements of what the MAJORITY of the world requires, and not what a small minority of its occupants want.

As I said, if you live in one of those restrictive environments.. bend over, grasp your ankles and enjoy the insertion... as you simply have allowed it to happen.

I really don't understand when it became the responsibility of others to "protect' one from their stupidity. Like any piece of equipment, you need to avail yourself of the knowledge of how to operate it. Being a dumbshit is no excuse.
I guess it falls back to the "least common denominator" theory... and WAY too many of our society is at the level of mushrooms.
I am not an idiot so yes obviously I understand how cookies work and how they can be set. I also understand fully the implications.

As a responsible website owner, we still have a responsibility to audit what cookies are being set by our service. To argue otherwise is "idiotic". Just because we allow user submitted content, does not mean we are not responsible to some degree for it.

It could be as simple as alerting a user to 3rd party cookies (as XF is now, and like I have said, is adequate in my opinion) and not displaying images / external content if that setting is disabled. We do not have to individually vet each incoming image.

But I didn't say that, did I...?

Infact, I think we are mostly agreeing here that the current implementation is good enough...?
 
Hmmm. So on the computer I am on now, I did not accept Third Party cookies. Now I see this for a post in another thread. Nice. So it lets you know exactly what is affected. This gets better all the time.

1669987939004.webp
 
As a responsible website owner, we still have a responsibility to audit what cookies are being set by our service. To argue otherwise is "idiotic". Just because we allow user submitted content, does not mean we are not responsible to some degree for it.
Does the word minutiae ring a bell?
There reaches a point where the individual user is responsible for their OWN choices.
 
Hmmm. So on the computer I am on now, I did not accept Third Party cookies. Now I see this for a post in another thread. Nice. So it lets you know exactly what is affected. This gets better all the time.

View attachment 277627
But the point remains.. if ANOTHER site sets cookies that YOUR site knows nothing about.. now, explain to me how that should be processed (BTW the below is from Imgur, which I am pretty sure sets coookies).. Did you get a prompt about it? And if not, why not?
I honestly don't know.. so please feel free to elucidate.

57Eq7Hw.jpg
 
But the point remains.. if ANOTHER site sets cookies that YOUR site knows nothing about.. now, explain to me how that should be processed (BTW the below is from Imgur, which I am pretty sure sets coookies).. Did you get a prompt about it? And if not, why not?
I honestly don't know.. so please feel free to elucidate.

57Eq7Hw.jpg
I didn't get one but I am now on a different profile where I think I accepted 3rd party cookies.

I am actually fine with current cookie handling, really. However, for many forum admins and owners, that decision is no longer ours. Some governments are passing laws that make us responsible for informing the users and ensuring they can consent or not and applying standards for how that is done. Canada has not, but our new privacy law (assuming it ever happens) could change that. The new functionality can be turned off (just use "Simple" mode) so if you don't like it, turn it off. However, it provides a valuable tool for those of us who feel this matters or are facing government regulation that makes it matter.

So instead of ranting at XF for implementing the functionality, which has been in high demand for some time now due to GDPR in Europe, rant at the governments whose regulations are making this a necessity.
 
Last edited:
I didn't get one but I am now on a different profile where I think I accepted 3rd party cookies.
in other words... you did NOT get a notification of cookies from ImgUr (which I am pretty sure they send).

So please feel free to expound on how XF should determine EVERY link that is processed. , and the associated cookie with it, and the necessary cookies related to EVERY link that is posted on the forum, and FURTHER relate any incident cookie information to then end users.

I'm pretty sure, when you give your full intellect to that point, you will realize the idiocy of it. A more generic acceptance by members would be more appropriate. For those jurisdictions that are more anally retentive.. additional actions by an add-on may be required.

You simply notify your user that outside links may set cookies (the generic level). You are NOT responsible for any outside links that may occur.
 
Last edited:
Do Admin's have the option in the ACP settings to set the default to "yes" for all 3 options?

Do members have the ability to see what Cookie choice they made in their UserCP and make changes if needed?
 
Top Bottom