Aquest lloc web fa servir cookies pròpies i de tercers per millorar l’experiència de navegació, i oferir continguts i serveis d’interès. En continuar la navegació entenem que acceptes la nostra política de cookies. Per a més informació consulta aquí.
Vés al contingut principal
Logo oficial de Metadecidim
  • Català Triar la llengua Elegir el idioma Choose language
    • Castellano
    • English
Registra't Entra
  • Inici
  • Processos
  • Assemblees
  • Iniciatives
  • Consultes
  • Jornades
  • Ajuda

Proposa noves funcionalitats

#DecidimRoadmap Dissenyant el Decidim entre totes

Fase 1 de 1
Obert 01-01-2019 - 31-12-2030
Veure les fases Envia una proposta
  • El procés
  • Debats
  • Proposa noves funcionalitats
  • Novetats
chevron-left Torna al llistat

Make Decidim EU cookie laws compliant

Avatar: Virgile Deville Virgile Deville
31/03/2020 18:42  

**Is your feature request related to a problem?**

Decidim's current cookie banner is not compliant with the EU cookie laws. In several countries this could result into fines being made to the website owners.

Here is a little sum up of the things that we need to have in order to be compliant :

  • By default, all optional cookies are disabled ( Matomo, Google, etc... )
  • Cookies necessary for the platform must be mentioned and justified.
  • The user must be able to revoke the acceptance of cookies at any time, in the footer or privacy policy or elsewhere, as desired.
  • Block all cookies from external services by default (analytics, embeds etc.)

Currently we do none of these by default on the Decidim install.

**Describe the solution you'd like**

Implement an existing solution that allows us to do all these things. We've started a development on our end (https://github.com/OpenSourcePolitics/decidim/tree/feature/GDPR_compliance_update) but stumbled upon thanks to one of our clients on which provide a simple and acessible solution to this problem : https://github.com/empreinte-digitale/orejime it allows to :

  • Set a default configuration with default Decidim cookies
  • Update the default configuration according to the needs of the instance (Save in base a script that will be injected in the views...).
  • Block the automatic setting of cookies from a third party platform.

We've identify 2 complexity factors :

  • One related to the multi-tenant mode of Decidim. Different cookies could be set for each organization
  • One related to external services such as embed (youtube), drag and dropped images from imgur and external services which can inject cookies that we would be co-responsible of.


**Describe alternatives you've considered**

Something should be done to make Decidim compliant to the cookie law

**Additional context**

None

**Does this issue could impact on users private data?**

Yes as user have to give their consent for each optional cookie.

  • Resultats al filtrar per la categoria: Instal·lació i configuració Instal·lació i configuració

Llistat d'adhesions

Avatar: Valentin Chaput Valentin Chaput
Avatar: txema txema verified-badge
Avatar: Pauline Bessoles Pauline Bessoles verified-badge
Número d'adhesions3
Make Decidim EU cookie laws compliant Comentaris 11

Referència: MDC-PROP-2020-03-15215
Versió 3 (de 3) veure altres versions
Verifica l'empremta digital

Empremta digital

El text següent és una representació abreviada i hashejada d'aquest contingut. És útil per garantir que el contingut no hagi estat alterat, ja que una única modificació provocaria un valor totalment diferent.

Valor: 61a3477db8c9ac3db974e4e36bc24935569663947b34acf9eb9094464ef2b376

Origen: {"body":{"en":"<p><strong>**Is your feature request related to a problem?**</strong></p><p>Decidim's current cookie banner is not compliant with the EU cookie laws. In several countries this could result into fines being made to the website owners.</p><p>Here is a little sum up of the things that we need to have in order to be compliant : </p><ul><li>By default, all optional cookies are disabled ( Matomo, Google, etc... )</li><li>Cookies necessary for the platform must be mentioned and justified.</li><li>The user must be able to revoke the acceptance of cookies at any time, in the footer or privacy policy or elsewhere, as desired.</li><li>Block all cookies from external services by default (analytics, embeds etc.)</li></ul><p>Currently we do none of these by default on the Decidim install.\r\n</p><p><strong>**Describe the solution you'd like**</strong></p><p>Implement an existing solution that allows us to do all these things. We've started a development on our end (https://github.com/OpenSourcePolitics/decidim/tree/feature/GDPR_compliance_update) but stumbled upon thanks to one of our clients on which provide a simple and acessible solution to this problem : https://github.com/empreinte-digitale/orejime it allows to :</p><ul><li>Set a default configuration with default Decidim cookies</li><li>Update the default configuration according to the needs of the instance (Save in base a script that will be injected in the views...).</li><li>Block the automatic setting of cookies from a third party platform.</li></ul><p>We've identify 2 complexity factors : </p><ul><li>One related to the multi-tenant mode of Decidim. Different cookies could be set for each organization</li><li>One related to external services such as embed (youtube), drag and dropped images from imgur and external services which can inject cookies that we would be co-responsible of.</li></ul><p><br></p><p><strong>**Describe alternatives you've considered**</strong></p><p>Something should be done to make Decidim compliant to the cookie law</p><p><strong>**Additional context**</strong></p><p>None</p><p><strong>**Does this issue could impact on users private data?**</strong></p><p>Yes as user have to give their consent for each optional cookie.</p>"},"title":{"en":"Make Decidim EU cookie laws compliant"}}

Aquesta empremta digital es calcula mitjançant un algoritme de hash SHA256. Per reproduir-lo tu mateix, pots utilitzar una Calculadora MD5 en línia i copiar-hi les dades d'origen.

Compartir:

link-intact Compartir l'enllaç

Compartir l'enllaç:

Si us plau, enganxa aquest codi a la teva pàgina:

<script src="https://meta.decidim.org/processes/roadmap/f/122/proposals/15215/embed.js?locale=ca"></script>
<noscript><iframe src="https://meta.decidim.org/processes/roadmap/f/122/proposals/15215/embed.html?locale=ca" frameborder="0" scrolling="vertical"></iframe></noscript>

Reportar contingut inapropiat

Aquest contingut no és apropiat?

Motiu

11 comentaris

Ordenar per:
  • Més antic
    • Més ben valorats
    • Recent
    • Més antic
    • Més discutit
Conversa amb Antti Hukkanen
Avatar: Antti Hukkanen Antti Hukkanen
07/04/2020 12:52
  • Obtenir enllaç Obtenir enllaç

This is important topic, but just to add few things to the discussion:
- There are national differences in the interpretation of the EU law. E.g. in Finland, users can have given consent to store cookies using their browser settings.
- Only thing we have been asked so far is to add a "reject" button in the cookie consent banner which would take the user out of the website to a configured URL stating that they cannot use the service without giving consent.
- Another possible way is to use such obtrusive cookie banners as they use on most of the news sites. This way the user would either give their consent or leave the website before storing any cookies to their browser. This is, however, irritating to most users so you will scare some people away with this approach.
- If you require the consent to be given before adding any tracking scripts to the user, you will lose a lot of analytics data when using the current unobtrusive method.

Avatar: Antti Hukkanen Antti Hukkanen
07/04/2020 12:55
  • Obtenir enllaç Obtenir enllaç

Here is the full national interpretation for Finland:
https://www.kyberturvallisuuskeskus.fi/en/our-activities/regulation-and-supervision/confidential-communications

"Finland interprets the Directive on privacy in electronic communications (‘ePrivacy Directive’) so that users can give their consent to store cookies on their terminal equipment, for example, by using the appropriate settings of a browser or other application."

It still requires telling the user clearly about the cookies the site sets and the purpose of those cookies being set. The national difference is that for the explicit consent it is enough to assume the user has disabled cookies from their browser if they don't want to allow the sites to store any cookies.

Avatar: Antti Hukkanen Antti Hukkanen
28/05/2020 11:23
  • Obtenir enllaç Obtenir enllaç

A small update regarding this from Finland:
https://cutt.ly/wyD5OfT

The Deputy Data Protection Ombudsman has hiven order for the first Finnish company to improve their cookie consent implementations according to the EU laws.

It should be still noted that the default functionality in Decidim does not require any additional cookie consent as long as you have a page explaining the use of cookies and you clearly inform users about them. This is already the situation in a default Decidim installation with the current cookie banner with a link to the privacy policy page.

The reason for this is that by default Decidim does not set any other cookies than the session cookie which is counted as necessary. The cookie consents are not required for well explained necessary cookies in any EU country.

Avatar: Antti Hukkanen Antti Hukkanen
28/05/2020 11:26
  • Obtenir enllaç Obtenir enllaç

The problem comes when you add Google Analytics or other such tracking software to the site. In this situation, you will need to have a clear consent from a user action, e.g. using a popup before the user tracking is started for that user.

This is the case only with 3rd party tracking software, such as Google Analytics. When you are using self-hosted tracking software where the data is not sent to a 3rd party, you will not need any extra consents from the user.

Conversa amb Antti Hukkanen
Avatar: Antti Hukkanen Antti Hukkanen
07/04/2020 13:11
  • Obtenir enllaç Obtenir enllaç

Browsers are also already implementing or planning to implement better measures to classify and enable/disable the cookies for sites based on their classifications:
https://support.mozilla.org/fi/kb/disable-third-party-cookies
https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/
https://support.apple.com/en-gb/guide/safari/sfri11471/mac
https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html
https://www.blog.google/products/chrome/building-a-more-private-web/
https://www.eff.org/deeplinks/2019/08/dont-play-googles-privacy-sandbox-1

Of course, we need a solution that complies with the laws in all EU countries with current, legacy and upcoming browsers. It just seems (and I personally really hope) in the future we might be able to get rid of these cookie consents and popups once and for all when these features are implemented in all browsers in a standard way and once sites start utilizing those features.

Avatar: Virgile Deville Virgile Deville
07/04/2020 19:36
  • Obtenir enllaç Obtenir enllaç

Thanks Antti for bringing this perspective. They are annoying.

Conversa amb Andrés
Avatar: Andrés Andrés verified-badge
29/06/2020 15:39
  • Obtenir enllaç Obtenir enllaç

Wow thanks everyone for the insights. As @ahu said, this would depend on the interpretation of every country. As supporting tracking cookies by default on Decidim could against the Social Contract (at least on spirit), I think the best way for implementing this would be on a module.
I've seen that OSP already started working on that with orejime, although I don't know if it's ready for external uses: https://github.com/OpenSourcePolitics/decidim-module_cookies

Avatar: Virgile Deville Virgile Deville
17/08/2020 10:31
  • Obtenir enllaç Obtenir enllaç

Yeah we use it in Belgium, here is an example : https://uccle.monopinion.belgium.be

Avatar: Antti Hukkanen Antti Hukkanen
03/08/2020 12:58
  • Obtenir enllaç Obtenir enllaç

Could you elaborate which part of the Social Contract is violated by tracking cookies.

I think tracking cookies themselves are not harmful for the visitors if they are used in a fair way. Of course, e.g. what Google does with the tracking data, could be questioned, but even with Google it is possible to anonymize the tracking data of individual users. Even Google went ahead and made it possible to disable 3rd party cookies in Chrome.

I do still agree that this is a tricky issue to solve in a general way for all users in all countries. Some want/need to show popups and some want/need to show banners. Both of these options may have different functionalities depending on the context. E.g. according to some interpretations you need to have two equal buttons "Agree" or "Disagree" for the cookies.

Maybe the best way is the modular approach as Andrés mentioned but do we really need to solve this separately for every country? Or would this deserve a bit more discussion?

Conversa amb Ariadna Vila
Avatar: Ariadna Vila Ariadna Vila
31/01/2022 17:48
  • Obtenir enllaç Obtenir enllaç

Hi! Very interesting issue. As you said, this can lead to legal issues. I would like to know if the module is finished and ready to use.

Avatar: Pauline Bessoles Pauline Bessoles verified-badge
08/02/2022 11:22
  • Obtenir enllaç Obtenir enllaç

Hi Ariadna! The module is finished but we won't maintain it for 0.25 and further versions (the original module maintenance is really rare). We found another tool really well made and useful called Tarte au Citron (https://tarteaucitron.io/en/) that allows us to easily add services and edit the cookie banner.

Deixa el teu comentari

Inicia la sessió amb el teu compte o registra't per afegir el teu comentari.

Carregant els comentaris ...

  • Termes i condicions d'ús
  • Sobre la comunitat
  • Descarrega els fitxers de dades obertes
  • Metadecidim a Twitter Twitter
  • Metadecidim a Instagram Instagram
  • Metadecidim a YouTube YouTube
  • Metadecidim a GitHub GitHub
Amb llicència Creative Commons Web creada amb programari lliure.
Logo Decidim

Confirmar

D'acord Cancel·lar

Si us plau, inicia sessió

decidim Inicia sessió amb Decidim
O

Registra't

Has oblidat la teva contrasenya?