How to implement European Cookie law/GDPR compliance?

[Michel_72]

Hi,

We have been given an official notice by Dutch authorities saying that our community has to fully comply with GDPR/Cookies laws within 6 weeks. Sadly there still seems to be no implementation whatsoever in Invision Community for cookie law compliance. https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies

I found some scripts but they require modification of the html (templates) which I am not comfortable with. Especially since the changes would have to be repeated after (most) updates.

This is one of the (open source) scripts I found:

https://kiprotect.com/docs/klaro/getting_started

Are there any other members willing to share how exactly they made their community GDPR compliant or maybe someone knows a simple way of achieving just that?

Thanks!

Kind regards,

Michel

Edited August 16, 2020 by Michel_72

[opentype]

There is stock functionality for that. I see your site (linked from the footer) already implements the approval button (which is part of it), but you don’t give any information about cookies in it and you don’t make accepting the cookies part of the approval. That should of course be fixed. 

[Michel_72]

Quote

...and you don’t make accepting the cookies part of the approval. That should of course be fixed. 

How would I achieve that? GDPR states that (most)cookies may not be stored before explicit consent. As far as I understand the invision community banner (that contains the approval button) does not provide any such functionality. It just seems to warn, but cookies are written immediately anyway and I see no way of preventing that.

Quote

The EU institution must adequately inform users and obtain their consent before setting cookies and any other technology falling within the scope of Article 5(3) of the ePrivacy directive. By default, none of those cookies must be set.

The cookie information is on the privacy page mentioned in the banner (in Dutch, the language of our visitors). https://www.sat4all.com/forums/privacy/

Edited August 16, 2020 by Michel_72

[opentype]

I see you just changed your banner. 👍 Goed gedaan!

Looks good now. It’s as far as you can get with the stock options. 

[Michel_72]

Yup, but this does not solve the lack of compliancy. I think it's mighty strange that Invision does not provide adequate tools to comply for their European customers.

Anyhow I still need a solution 😞  Does anybody know a simple compliant implementation of the cookie consent?

[aXenDev]

Have you read these articles? 

[Michel_72]

Yes, could you be more specific? I read conflicting information there. My link below is the actual law and I have received an official notice by our government. I am quit sure I am not compliant even though I am using all tools available in the invision community software. 😞

https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies

 

Quote

(25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

 

Edited August 16, 2020 by Michel_72

[Michel_72]

Guys, I'm really just looking for a solution for this problem. I'm not here to troll Invision for them not doing much to help their European customers, because obviously that is not too important for them.

I'm just asking for someone who had the same issue, to share their solution with me, before being fined by the authorities for not complying. 😉 

Edited August 18, 2020 by Michel_72

[aXenDev]

It's best to send a ticket. The team will surely help you.

[bfarber]

20 hours ago, Michel_72 said:

Guys, I'm really just looking for a solution for this problem. I'm not here to troll Invision for them not doing much to help their European customers, because obviously that is not too important for them.

I'm just asking for someone who had the same issue, to share their solution with me, before being fined by the authorities for not complying. 😉 

Can you outline specifically what "issue" you are looking for assistance with?

The only cookies our software directly sets are "strictly necessary cookies", which are excluded from requiring consent.

https://gdpr.eu/cookies/

In other words, you should not require consent to set any cookies that our software is setting, unless you are using a third party service (Google Analytics, Google Ads, etc.) in which case you may need some mechanism to do so, however this is outside the scope of our software release realistically.

[Michel_72]

We have several sharing options enabled in the software:

and:

we are using the internal advertisements module for google adsense.

and we have Analytics enabled (using google Analytics).

It looks like a whole lot of cookies are written without consent, and since this is all part of the community functionality, I have no simple way of preventing this without disabling everything.

Attached the scan report bij cookiebot.

report-wwwsat4allcom-4490654.pdf

 

 

Edited August 19, 2020 by Michel_72

[opentype]

1 hour ago, bfarber said:

however this is outside the scope of our software release realistically.

I guess his point is that “delivering ads” and “connecting to Google Analytics” are native parts of the software, so it could hold back delivering those calls until explicit consent was given by checking additional checkboxes for things like “visitor analytics” and “ad services”. I kind of see the point. 
Alternatively, each service would have to ask for consent separately, which would be a nightmare for the visitors. 

 

@Michel
P.S. As far as I know the sharing services are just outgoing links. They don’t have any privacy implications. 

Edited August 19, 2020 by opentype

[bfarber]

Yes, sharing and social profile links do not set cookies so those are irrelevant.

While we facilitate being able to set up ads and collect analytics, we don't actually perform those things within our software directly. Further, you could enter any analytics javascript code you want - how would our software be able to know what cookies are set and what they are for? Same with advertisements: you are using Google Ads, but there are hundreds of services (not even considering home-grown solutions), and we wouldn't have any way to know what cookies are set and for what purposes unless you explicitly outlined this.

For this reason, it's pretty hard to automatically block those things from loading and give users appropriate notification of what cookies will be set. You essentially need a middleman that knows the details which can request consent in this scenario.

[Michel_72]

But people, I'm really not asking for invision to help me, nor am I blaming invision for not helping.

I'm asking anybody who had the same problem to share with me/us how they solved it. 🙂

I found this open source solution: https://github.com/kiprotect/klaro 

https://kiprotect.com/docs/klaro/getting-started  but don't know how to implement this correctly in the invision cummunity software.

Edited August 20, 2020 by Michel_72

[Matt]

One of the challenges of super strict GDPR compliance and an online community is that you don't really have complete control over every single link, image or embed that appears as this is generated by your members.

What are the outstanding items you need help with? Requiring permission for analytic cookies?

[Michel_72]

Well, requiring permissions for al cookies that require consent according to GDPR. I posted the cookiebot report above.

https://invisioncommunity.com/applications/core/interface/file/attachment.php?id=154174

Edited August 21, 2020 by Michel_72

[Nathan Explosion]

On 8/20/2020 at 4:29 PM, Michel_72 said:

I found this open source solution: https://github.com/kiprotect/klaro 

https://kiprotect.com/docs/klaro/getting-started  but don't know how to implement this correctly in the invision cummunity software.

Like this?

[Michel_72]

Looks like it. 

[Nathan Explosion]

I'm taking a look at the integration work needed - all I've done thus far is added the 2 JS files and that is the result.

The problem is the changes needed to be done to the existing <script> tags throughout the theme, and then you also have to be able to configure it so that will require an interface that feeds in to the config.js file.

No promises at all, but if I can figure out the basics then it might be possible to do a custom job for you on this one - I'll post back later if I can figure out a good way of doing this.

[Michel_72]

Sounds promising 🙂

[Nathan Explosion]

Just coming back to this - unfortunately, I think I'm going to pass on this one as this element is just a nightmare to achieve:

On 8/21/2020 at 5:43 PM, Nathan Explosion said:

the changes needed to be done to the existing <script> tags throughout the theme

This corresponds to item 2 on the 'Getting started' page - https://kiprotect.com/docs/klaro/getting-started

I reckon the full integration of this code might be better achieved via a custom theme, instead of a plugin. Theoretically, all of the elements in the config.js code could be turned in to settings on a theme (already achieved it via the POC plugin) so it would be make sense to cover everything in a theme, instead of trying to do a plugin which attempts to modify the includeJS template, amongst other items, to accommodate the HTML tag changes needed.

[Michel_72]

13 minutes ago, Nathan Explosion said:

Just coming back to this - unfortunately, I think I'm going to pass on this one as this element is just a nightmare to achieve:

This corresponds to item 2 on the 'Getting started' page - https://kiprotect.com/docs/klaro/getting-started

I reckon the full integration of this code might be better achieved via a custom theme, instead of a plugin. Theoretically, all of the elements in the config.js code could be turned in to settings on a theme (already achieved it via the POC plugin) so it would be make sense to cover everything in a theme, instead of trying to do a plugin which attempts to modify the includeJS template, amongst other items, to accommodate the HTML tag changes needed.

Thanks anyway 🙂 Could you maybe give me an example on how to change those tags?

For example, my google analytics code looks like:

<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
  ga('create', 'UA-123456789-1', 'auto');
  ga('send', 'pageview');
</script>

What would the modified (klaro compatible code) look like?

[Nathan Explosion]

<script type="text/plain"
data-type="application/javascript"
data-name="google-analytics">
//...
</script>

It literally tells you what to do in section 2...

And then you have to change the includeJS template in your theme to make the relevant changes too.

 

Edited August 26, 2020 by Nathan Explosion

[Michel_72]

Ah ok, I did modify the analytics code, but it didn't work (cookies where still written).

I wil have a look at the includeJS part. I'm not very savvy with this stuff :P

[Nathan Explosion]

30 minutes ago, Michel_72 said:

Ah ok, I did modify the analytics code, but it didn't work (cookies where still written).

Did you configure the config.js to handle the 'application' called 'google-analytics'?

https://kiprotect.com/docs/klaro/annotated-config

It's not a simple as "drop it in as-is, make HTML changes, BOOM it works" - you need to configure it too.