Compliance with EU Cookie Law


(node) #1

Has anyone complied with EU cookie laws using discourse? I’ve tried implementing the CIVIC javascript plugin, however it doesn’t seem to be working. Could an unintrusive cookie notice be included in discourse which informs users that the site uses cookies, allowing cookies to be disabled if they wish.

Cookie compliance under GDPR
(Matches) #2

It’s not unique to just cookies.

(Jeff Atwood) #3

Pardon my french, but this law is horseshit.

Major Internet properties like Amazon do not “comply” with it.


As I know you’ve been informed before:

Just because someone else does something, doesn’t mean you should. Said action could be illegal, wrong, or simply stupid.

Also, keep in mind that Amazon has a large army of lawyers to help them with issues like this. Have you consulted a single lawyer regarding this? One who is actively practicing?

Now, I am not taking a side on whether Discourse handles this correctly or not. I am simply saying that your argument is bullshit, and (as far as I am aware) you are not qualified to determine whether or not some other entity is in compliance or not.

(Jeff Atwood) #5

Can you point to anyone being sued over this? Anywhere? Ever? Also:

This law has been much derided and ultimately proven to be unworkable by the people charged with enforcing it. The ICO is simply doing the inevitable: ignoring the law as much as they can, until it goes away.

I would recommend complying with this law about as much as I would recommend “complying” with anti-miscegenation laws. Consult your lawyer on that as well.

(Régis Hanol) #6

I’ve never understood the rationale of this law except from making things harder for both developers and users…

French bureaucracy at its best!

(lid) #7

I agree about the horseshit reference, I actually found that have a cookie notice.

##We should have a standard plugin for the European market, on discourse.
something like this.

(Jeff Atwood) #8

Looks like a simple hyperlink is fine, and certainly better than any kind of pointless, user hostile pop-up nonsense:

Overall the sites tend to take one of three options:

  • Display a massive banner or pop-up that is almost impossible for users to miss, notifying people of the basic details of the cookie policy.
  • Display a discreet notice alerting people to that fact that cookies are used
  • Do almost nothing at all, simply adding a small hyperlink somewhere on the homepage. :white_check_mark:

(Matches) #9

I don’t live in the EU, and I don’t have EU customers. But this thread is asking how to implement something to be in compliance with local law on Discourse, and whether or not you think it’s ‘horseshit’ or not, doesn’t change the fact that maybe it’s not ‘horseshit’ to the OP, and their legal department has decided the risk is too great to bear unless this feature is met.

This isn’t my software, I’m not the OP, and I don’t live in the EU. But the fact that your response isn’t ‘You can try this, but it’s not officially supported by Discourse’ and instead ‘You trying to comply with the law is horseshit’ really speaks volumes to me personally.

(Michael - #10

EU cookie laws do not apply to cookies that are ‘functional’, i.e. required for a web application to function correctly. So there is no need for the CIVIC plugin. Discourse is not violating any EU cookie laws.

EDIT to be clear; using Google analytics or AdSense without consent would be a violation of EU cookie laws.

@Matches the thread you are referring to is horseshit. Copying a file does not change whether copyright is being violated. Embedding a file can be a copyright violation as well.

@Lid a cookie notice is something different. EU laws require explicit consent for non-functional cookies. Not a hyperlink explaining what a cookie does. And with all due respect, someone who does not know what a cookie does in 2014, simply doesn’t care. Your forum will be the five-millionst website they visit. They’re not suddenly going to wonder ‘ohmygod this website uses cookies, what are those?!?!’

(Manthan Mallikarjun) #11

Easy. Go to

and just place and save.

<center>We use cookies. [What are cookies?](</center>

Now, this will show up at the bottom of every page…

We use cookies. What are cookies?

(Jeff Atwood) #12

If someone comes to me and says “I want to bang this hammer on my head. How hard should I do that?” I’m going to tell them they shouldn’t be doing that at all. Placing a link on the page is plenty supported, and that’s all that is “needed” in this case, per earlier citations. If even that…

But don’t take my word for it. Feel free to read my earlier citations, or provide citations of your own.

(Matches) #13

I made no assertions on how it should be implemented, and I feel @nahtnam has a good suggestion.

My complaint is instead of doing the reasonable thing like @nahtnam, your response was to tell the OP to break the law.

Also, Amazon DOES comply with the law. Right side, right below the cart icon.

(Jeff Atwood) #14

I’m curious – can you point to even one case of this “law” ever being enforced?

Do you really feel the Internet is embiggened by having a “what is cookies” description link on every page of it?

Anyway, my original objection was to user hostile popups. I’m not too fussed about a link, though I still think it’s a ridiculous, nonsensical, geographically limited Internet “law” that should be actively resisted in every possible way until it is inevitably repealed.

(cpradio) #15

Recategorized as Support, as previously mentioned by @nahtnam, this is supported via the bottom/top/wherever you want admin content sections. Thus, it is no longer needed to be a feature/plugin

(Sam Saffron) #16

Looks like it comes in 3 flavors. Information only is easy… the other 2 are a nightmare.

(Matches) #17

Granted this looks like they are losing, but do you as a small business owner want to be sued by a government for being out of compliance?

I don’t know the actual laws name, so this is what came up for EU cookie law lawsuit. Give me an official name for it and I can probably find you a lawsuit against individual corporations.

It’s about risk of being out of compliance vs risk of compliance. If it’s worth it to you to be out of compliance and risk a lawsuit instead of putting an informational page up, great. But the OP has indicated they want to be in compliance.

(lid) #18

How do you remember if the user opt-in or out of the use of a cookie?

do you use a cookie to remember that?

(Sam Saffron) #19

You have 2 options

  1. Comply and lose 50% of your customers
  2. Don’t comply and get sued

Pick your poison… nice one EU.

Explicit Consent
This is an opt-in method, and the most restrictive of the three. Cookies are blocked by default. Cookie Control lets the user know (providing links to the cookie and privacy policy documents). The user may allow cookies using the Cookie Control widget. Cookie Control behaves slightly different in this mode, attracting the user’s attention more proactively.

That would literally scare away a huge portion of customers any online business has. Countries requiring explicit consent have themselves a law that is hostile to small businesses.

Pertaining to Discourse, we don’t plan to spend time in the next year working on a “cookies off” yet “logged on” solution. If people want the information thing then fine, they already can do that today.

(Matches) #20

Maybe append to a get/post?